From 4136d969cab5d4690f00c855bd98dc01253d73d9 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 22 Nov 2012 16:22:30 +0100 Subject: s4:samba_upgradeprovision: use the sd_flags:1:15 control with an empty sd The sd_flags:1:15 control together with an empty security_descriptor has the same effect as the recalculate_sd:0 control (which is samba only). Signed-off-by: Stefan Metzmacher Reviewed-by: Michael Adam --- source4/scripting/bin/samba_upgradeprovision | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/source4/scripting/bin/samba_upgradeprovision b/source4/scripting/bin/samba_upgradeprovision index b3fb0b0c97..7060b73f23 100755 --- a/source4/scripting/bin/samba_upgradeprovision +++ b/source4/scripting/bin/samba_upgradeprovision @@ -46,11 +46,13 @@ from ldb import (SCOPE_SUBTREE, SCOPE_BASE, from samba import param, dsdb, Ldb from samba.common import confirm from samba.provision import (get_domain_descriptor, find_provision_key_parameters, - get_config_descriptor, + get_config_descriptor, get_empty_descriptor, ProvisioningError, get_last_provision_usn, get_max_usn, update_provision_usn, setup_path) from samba.schema import get_linked_attributes, Schema, get_schema_descriptor from samba.dcerpc import security, drsblobs +from samba.dcerpc.security import ( + SECINFO_OWNER, SECINFO_GROUP, SECINFO_DACL, SECINFO_SACL) from samba.ndr import ndr_unpack from samba.upgradehelpers import (dn_sort, get_paths, newprovision, get_ldbs, findprovisionrange, @@ -1032,7 +1034,8 @@ def update_present(ref_samdb, samdb, basedn, listPresent, usns): raise ProvisioningError(msg) changed = 0 - controls = ["search_options:1:2", "sd_flags:1:0"] + sd_flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL | SECINFO_SACL + controls = ["search_options:1:2", "sd_flags:1:%d" % sd_flags] if usns is not None: message(CHANGE, "Using replPropertyMetadata for change selection") for dn in listPresent: @@ -1352,16 +1355,20 @@ def rebuild_sd(samdb, names): continue delta = Message() delta.dn = Dn(samdb, key) + sd_flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL | SECINFO_SACL try: delta["whenCreated"] = MessageElement(hash[key], FLAG_MOD_REPLACE, "whenCreated" ) - samdb.modify(delta, ["recalculate_sd:0","relax:0"]) + descr = get_empty_descriptor(names.domainsid) + delta["nTSecurityDescriptor"] = MessageElement(descr, FLAG_MOD_REPLACE, + "nTSecurityDescriptor") + samdb.modify(delta, ["sd_flags:1:%d" % sd_flags,"relax:0"]) except LdbError, e: samdb.transaction_cancel() - res = samdb.search(expression="objectClass=*", base=str(names.rootdn), - scope=SCOPE_SUBTREE, - attrs=["dn", "nTSecurityDescriptor"], - controls=["search_options:1:2"]) + res = samdb.search(expression="objectClass=*", base=str(delta.dn), + scope=SCOPE_BASE, + attrs=["nTSecurityDescriptor"], + controls=["sd_flags:1:%d" % sd_flags]) badsd = ndr_unpack(security.descriptor, str(res[0]["nTSecurityDescriptor"])) message(ERROR, "On %s bad stuff %s" % (str(delta.dn),badsd.as_sddl(names.domainsid))) -- cgit