summaryrefslogtreecommitdiff
path: root/source4/scripting
AgeCommit message (Collapse)AuthorFilesLines
2013-03-25scripting: Fill the ProvisionNames hash with strings, not ldb.MessageElement ↵Andrew Bartlett1-15/+1
or Dn This avoids the need to fix it up again in samba_upgradedns. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Mon Mar 25 13:25:30 CET 2013 on sn-devel-104
2013-03-25scripting: Move get_diff_sds from samba.upgradehelpers to samba.descriptorAndrew Bartlett1-2/+2
This helps avoid a dependency loop when we use get_diff_sds in dbcheck. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-03-25scripting: Modify samba.descriptor.get_wellknown_sds() use samdb calls onlyAndrew Bartlett1-1/+1
We need this routine not to use the names context as this is tied to provision, and we end up in a circular dependency if we use that in dbcheck. Andrew Bartlett
2013-03-25scripting: Move samba.provision.descriptor to samba.descriptorAndrew Bartlett1-1/+1
This will allow dbcheck to import it, without a cirucular dependency via samba.provision importing dbcheck. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-03-25scripting: Make samba.provision.descriptor.get_wellknown_sds() return ldb.Dn ↵Andrew Bartlett1-3/+2
objects As we look to use this function in more places, it does not make sense to constantly create Dn objects from the strings. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-03-25scripting: Move the list of well known SDs to samba.provision.descriptorAndrew Bartlett1-71/+2
This will allow us to call this from dbcheck. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-03-12scripting: No longer install samba_upgradeprovisionAndrew Bartlett1-1/+1
This tool is an important part of the toolkit a Samba Team member can use to assist a user with the upgrade of a very old Samba 4.0 AD DC installation. However, like all powerful tools, it has sharp edges, and these need to have more protection added before we recommend the tool be used. The WHATSNEW already indicated that this tool should not be used but a large number of users have run it, and due to lack of testing in the past, some have run into bugs. While this tool can be run in debug modes, by default it simply fixes the database following a series of internal rule. This does a good job much of the time, but does not request permission in the way that dbcheck does, and will create extra objects for things like the DNS partitions. By removing this from the installed binaries, we provide another signal that it should not be used right now, until these matters are fixed and some clear documentation on how to safely use the tool can be written. Andrew Bartlett Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Tue Mar 12 02:51:23 CET 2013 on sn-devel-104
2013-03-04samba_upgradeprovision: Do not reset every DN when changing an SDAndrew Bartlett1-22/+8
SD propogation is handled by an LDB module, we do not need to touch each and every DN to make it happen. Now that we do not need to put this via a hash, the dnToRecalculate list is changed to be a list of Dn objects, not strings so that: if dn in listWellknown is handled using a schema comparison (avoiding different case forms tripping it up). Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-03-04samba_upgradeprovision: do not maintain dnNotToRecalculate as a listAndrew Bartlett1-5/+3
We only need a boolean indication, not the actual values. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-03-04samba_upgradeprovision: only run rebuild_sd in --full modeAndrew Bartlett1-20/+17
This is a potentially destructive routine, and should not be run by default. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-03-04samba_upgradeprovision: Remove alwaysRecalculate, this is too dangerousAndrew Bartlett1-4/+1
I am unclear on why this was added, but the idea that we ever always reset data in the directory is not reasonable to me, so I am removing it. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-03-04samba_upgradeprovision: Remove unused checkKeepAttributeOldMtdAndrew Bartlett1-73/+6
lastProvisionUSNs is never None, instead the code requries the administrator to populate this attribute in the directory. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-03-04scripting: Rework samba.upgradehelpers.get_diff_sddls to be get_diff_sdsAndrew Bartlett1-11/+10
This moves the SDDL conversion inside the get_diff_sds function and prepares for removing inherited ACEs from the SD before comparison. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-03-04samba_upgradeprovision: Remove auto-detection of pre-alpha9 databasesAndrew Bartlett1-5/+6
These are incredibly rare, and administrators running such databases not only ask the Samba Team for help personally, they can read --help. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-03-02Remove incomplete check for IPv6 link-local addresses.Landon Fuller1-3/+1
This has been superceded by a check for link-local addresses in get_interfaces() Signed-Off-By: Landon Fuller <landonf@bikemonkey.org> Reviewed-By: Richard Sharpe <realrichardsharpe@gmail.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Mar 2 08:38:54 CET 2013 on sn-devel-104
2013-03-02Move python modules from source4/scripting/python/ to python/.Jelmer Vernooij114-31384/+1
Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Mar 2 03:57:34 CET 2013 on sn-devel-104
2013-03-02build: Rename samba_python waf node to avoid duplicate nameAndrew Bartlett1-1/+1
This makes it clearer when debuging build issues. Andrew Bartlett
2013-02-20ntdb: switch between secrets.tdb and secrets.ntdb depending on 'use ntdb'Rusty Russell3-5/+8
Since we open with dbwrap, it auto-converts old tdbs (which it will rename to secrets.tdb.bak once it's done). Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Rusty Russell <rusty@rustcorp.com.au> Autobuild-Date(master): Wed Feb 20 07:09:19 CET 2013 on sn-devel-104
2013-02-19samba_upgradeprovision: Use tdb_util.tdb_copy not shutil.copy2Andrew Bartlett1-13/+17
This is really important, because copying a file will both ignore locks held by another process and break any locks we hold (due to POSIX brain-damage regarding multiple fds on one file in a process). By leaving this to tdbbackup in a child, both of these issues are avoided. Andrew Bartlett Reviewed-by: Matthieu Patou <mat@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Feb 19 07:48:18 CET 2013 on sn-devel-104
2013-02-19samba_upgradeprovision: Do not update privileges.ldb any more (unchanged ↵Andrew Bartlett1-16/+4
since 2009) This update was only a total oblitoration of the existing database and not a merge, and the shutil.copy would both disregard and break locks on the database that are held at this point. Andrew Bartlett Reviewed-by: Matthieu Patou <mat@samba.org>
2013-02-19scripting: Make tdb_copy a common util function in samba.tdb_utilAndrew Bartlett3-20/+43
This will allow samba_upgradeprovision to also call it. Andrew Bartlett Reviewed-by: Matthieu Patou <mat@samba.org>
2013-02-19scripting: Make tdb_copy use the python subprocess moduleAndrew Bartlett1-7/+9
This makes the code more robust to spaces in the file names (etc). Andrew Bartlett Reviewed-by: Matthieu Patou <mat@samba.org>
2013-02-19samba_upgradeprovision: Remove options to fix FS ACLsAndrew Bartlett2-271/+205
samba-tool ntacl sysvolreset handles this better, and makes this tool much less confusing internally. Andrew Bartlett Reviewed-by: Matthieu Patou <mat@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Feb 19 06:06:41 CET 2013 on sn-devel-104
2013-02-04samba-tool/domain provision: add support for utf-8 passwords for --adminpassStefan Metzmacher1-0/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Mon Feb 4 18:54:32 CET 2013 on sn-devel-104
2013-02-04samba-tool/user setpassword: fix help messageStefan Metzmacher1-3/+3
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2013-02-04s4:scripting/python: add support for utf-8 passwords from the command lineStefan Metzmacher1-1/+2
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2013-02-04selftest: add a test that demonstrates how new ACL blob code helpsChristian Ambach1-0/+17
this test shows that a change to POSIX ACL->SD mapping behavior does not invalidate the stored SD Signed-off-by: Christian Ambach <ambi@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27samba_upgradeprovision: detect dns_backend for the reference provisionStefan Metzmacher2-10/+11
If we have a DomainDnsZone partition, we use BIND9_DLZ as backend and fix errors in the ForestDnsZone and DomainDnsZone partitions. Note: this should work fine also for SAMBA_INTERNAL. If the current setup doesn't use dns specific partitions (e.g. alpha13 setups) we pass dns_backend=BIND9_FLATFILE. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27provision: setup names.dns_backendStefan Metzmacher1-0/+26
If we have a DomainDnsZone partition: - we use BIND9_DLZ as backend if a dns-<netbiosname> account is available - otherwise, we use SAMBA_INTERNAL else: - we use BIND9_FLATFILE if a dns or dns-<netbiosname> account is available - otherwise, we use NONE Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27samba_upgradeprovision: fix the nTSecurityDescriptor on more containers (bug ↵Stefan Metzmacher1-36/+92
#9481) Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27provision: fix nTSecurityDescriptor of containers in the DnsZones (bug #9481)Stefan Metzmacher1-11/+19
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27provision: fix nTSecurityDescriptor attributes of CN=*,${CONFIGDN} (bug #9481)Stefan Metzmacher1-0/+21
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27provision: fix nTSecurityDescriptor of CN={LostAndFound,System},${DOMAINDN} ↵Stefan Metzmacher1-0/+4
(bug #9481) Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27provision: setup names.name_map['DnsAdmins']Stefan Metzmacher1-0/+5
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27provision: introduce names.name_map = {}Stefan Metzmacher1-0/+1
This will be used to translated names in SDDL values, which are not wellknown, e.g. 'DnsAdmins'. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27provision: add get_dns_{forest,domain}_microsoft_dns_descriptor()Stefan Metzmacher2-0/+16
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27provision: add get_config_ntds_quotas_descriptor()Stefan Metzmacher2-0/+8
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27provision: add get_{config,domain}_delete_protected*_descriptor()Stefan Metzmacher2-0/+40
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27schema.py: add optional name_map={} to get_schema_descriptor()Stefan Metzmacher1-1/+1
This is not used, but makes the prototype compatible with the other get_*_descriptor() functions. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27provision: add optional name_map={} argument to get_*_descriptor()Stefan Metzmacher1-32/+30
This will allow subsitute non-wellkown names in the SDDL, e.g. 'DnsAdmins'. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27provision: import/export get_dns_partition_descriptor()Stefan Metzmacher1-1/+2
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27provision: setup names.dns{forest,domain}dnStefan Metzmacher1-1/+22
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27samba_upgradeprovision: fix resetting of 'nTSecurityDescriptor' on schema ↵Stefan Metzmacher1-1/+1
objects Without this schema_data_modify() will reject updates to schema objects by default. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27samba_upgradeprovision: don't reset 'whenCreated' when resetting ↵Stefan Metzmacher1-2/+0
'nTSecurityDescriptor' Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-27dbckecker: fix nTSecurityDescriptor values from before 4.0.0rc6 (bug #9481)Stefan Metzmacher1-2/+181
They inherited effective ACE for the wrong object classes. For SACL ACEs the problem was also present in 4.0.0. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-22devel-script: add options for RODC and partial replica for replicate flagsMatthieu Patou1-1/+21
Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Jan 22 00:12:17 CET 2013 on sn-devel-104
2013-01-21devel-scripts: ask with WRIT_REP by defaultMatthieu Patou1-0/+1
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21devel-getncchange: try to find the dest_dsa automaticallyMatthieu Patou1-3/+19
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-21dbcheck: look in hasMasterNCs as well for determining the instance type of a NCMatthieu Patou1-2/+10
Forest of level 2000 don't hve the msDS-hasMasterNCs parameter Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-01-10scripting/samba_upgradedns: Only look for IPv4/IPv6 addresses if we actually ↵Andrew Bartlett1-21/+22
them This allows the script to be used to create/remove the samba-specific dns-SERVER account when we do not need to create the in-directory partition. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Jan 10 20:56:50 CET 2013 on sn-devel-104