From c4f7b0e5f673943dfdda88f3e289912778a07a33 Mon Sep 17 00:00:00 2001
From: Matthieu Patou <mat@matws.net>
Date: Mon, 14 Jun 2010 12:28:58 +0400
Subject: s4 upgradeprovision: Check that the policy for DC is present if not
 warn the user

Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
---
 source4/scripting/bin/upgradeprovision           | 18 ++++++++++++++----
 source4/scripting/python/samba/upgradehelpers.py | 24 ++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 4 deletions(-)

(limited to 'source4/scripting')

diff --git a/source4/scripting/bin/upgradeprovision b/source4/scripting/bin/upgradeprovision
index f90443318a..a478856165 100755
--- a/source4/scripting/bin/upgradeprovision
+++ b/source4/scripting/bin/upgradeprovision
@@ -56,7 +56,7 @@ from samba.upgradehelpers import (dn_sort, get_paths, newprovision,
                                  update_secrets, CHANGE, ERROR, SIMPLE,
                                  CHANGEALL, GUESS, CHANGESD, PROVISION,
                                  updateOEMInfo, getOEMInfo, update_gpo,
-                                 delta_update_basesamdb)
+                                 delta_update_basesamdb, update_policyids)
 
 replace=2**FLAG_MOD_REPLACE
 add=2**FLAG_MOD_ADD
@@ -1432,8 +1432,8 @@ if __name__ == '__main__':
         # 11) B
         simple_update_basesamdb(newpaths, paths, names)
         ldbs = get_ldbs(paths, creds, session, lp)
-        ldbs.startTransactions()
         removeProvisionUSN(ldbs.sam)
+        ldbs.startTransactions()
 
     # 12)
     schema = Schema(setup_path, names.domainsid, schemadn=str(names.schemadn),
@@ -1497,10 +1497,20 @@ if __name__ == '__main__':
     # 22)
     if lastProvisionUSNs != None:
         updateProvisionUSN(ldbs.sam, minUSN, maxUSN)
+    if opts.full and (names.policyid == None or names.policyid_dc == None):
+        update_policyids(names, ldbs.sam)
     if opts.full or opts.resetfileacl:
-        update_gpo(paths, ldbs.sam, names, lp, message, 1)
+        try:
+            update_gpo(paths, ldbs.sam, names, lp, message, 1)
+        except ProvisioningError, e:
+            message(ERROR, "The policy for domain controller is missing," \
+                           " you should restart upgradeprovision with --full")
     else:
-        update_gpo(paths, ldbs.sam, names, lp, message, 0)
+        try:
+            update_gpo(paths, ldbs.sam, names, lp, message, 0)
+        except ProvisioningError, e:
+            message(ERROR, "The policy for domain controller is missing," \
+                           " you should restart upgradeprovision with --full")
     ldbs.groupedCommit()
     new_ldbs.groupedCommit()
     message(SIMPLE, "Upgrade finished !")
diff --git a/source4/scripting/python/samba/upgradehelpers.py b/source4/scripting/python/samba/upgradehelpers.py
index 78e23a2f87..4cb84ba54f 100755
--- a/source4/scripting/python/samba/upgradehelpers.py
+++ b/source4/scripting/python/samba/upgradehelpers.py
@@ -187,6 +187,26 @@ def get_paths(param, targetdir=None, smbconf=None):
     paths = provision_paths_from_lp(lp, lp.get("realm"))
     return paths
 
+def update_policyids(names, samdb):
+    """Update policy ids that could have changed after sam update
+
+    :param names: List of key provision parameters
+    :param samdb: An Ldb object conntected with the sam DB
+    """
+    # policy guid
+    res = samdb.search(expression="(displayName=Default Domain Policy)",
+                        base="CN=Policies,CN=System," + str(names.rootdn),
+                        scope=SCOPE_ONELEVEL, attrs=["cn","displayName"])
+    names.policyid = str(res[0]["cn"]).replace("{","").replace("}","")
+    # dc policy guid
+    res2 = samdb.search(expression="(displayName=Default Domain Controllers" \
+                                   " Policy)",
+                            base="CN=Policies,CN=System," + str(names.rootdn),
+                            scope=SCOPE_ONELEVEL, attrs=["cn","displayName"])
+    if len(res2) == 1:
+        names.policyid_dc = str(res2[0]["cn"]).replace("{","").replace("}","")
+    else:
+        names.policyid_dc = None
 
 def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf, lp):
     """Get key provision parameters (realm, domain, ...) from a given provision
@@ -562,6 +582,8 @@ def update_secrets(newsecrets_ldb, secrets_ldb, messagefunc):
         for att in hashAttrNotCopied.keys():
             delta.remove(att)
         for att in delta:
+            if att == "msDS-KeyVersionNumber":
+                delta.remove(att)
             if att != "dn":
                 messagefunc(CHANGE,
                             "Adding/Changing attribute %s to %s" % \
@@ -632,6 +654,8 @@ def update_gpo(paths, samdb, names, lp, message, force=0):
     if not os.path.isdir(dir):
         create_gpo_struct(dir)
 
+    if names.policyid_dc == None:
+        raise ProvisioningError("Policy ID for Domain controller is missing")
     dir = getpolicypath(paths.sysvol, names.dnsdomain, names.policyid_dc)
     if not os.path.isdir(dir):
         create_gpo_struct(dir)
-- 
cgit