samba-tool ldapcmp: Remove the GUID -> name mappings

These mappings are very convenient, however because they are not
one-to-one, they lead to differences being reported when none exist,
dependent only on the order the schema searches return results in.

Sadly the time saved by the names is offset by the time wasted chasing
the 'differences' that don't exist.

This in turn fixes some tests that were previously knownfail

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>

python/samba/netcmd/ldapcmp.py

@@ -80,7 +80,6 @@ class LDAPBase(object):
         self.server_names = self.find_servers()
         self.domain_name = re.sub("[Dd][Cc]=", "", self.base_dn).replace(",", ".")
         self.domain_sid = self.find_domain_sid()
-        self.get_guid_map()
         self.get_sid_map()
         #
         # Log some domain controller specific place-holers that are being used
@@ -250,20 +249,6 @@ class LDAPBase(object):
         assert index == len(blob)
         return res.strip().replace(" ", "-")
 
-    def get_guid_map(self):
-        """ Build dictionary that maps GUID to 'name' attribute found in Schema or Extended-Rights.
-        """
-        self.guid_map = {}
-        res = self.ldb.search(base=self.schema_dn,
-                              expression="(schemaIdGuid=*)", scope=SCOPE_SUBTREE, attrs=["schemaIdGuid", "name"])
-        for item in res:
-            self.guid_map[self.guid_as_string(item["schemaIdGuid"]).lower()] = item["name"][0]
-        #
-        res = self.ldb.search(base="cn=extended-rights,%s" % self.config_dn,
-                              expression="(rightsGuid=*)", scope=SCOPE_SUBTREE, attrs=["rightsGuid", "name"])
-        for item in res:
-            self.guid_map[str(item["rightsGuid"]).lower()] = item["name"][0]
-
     def get_sid_map(self):
         """ Build dictionary that maps GUID to 'name' attribute found in Schema or Extended-Rights.
         """
@@ -299,22 +284,6 @@ class Descriptor(object):
             return []
         return re.findall("(\(.*?\))", res)
 
-    def fix_guid(self, ace):
-        res = "%s" % ace
-        guids = re.findall("[a-z0-9]+?-[a-z0-9]+-[a-z0-9]+-[a-z0-9]+-[a-z0-9]+", res)
-        # If there are not GUIDs to replace return the same ACE
-        if len(guids) == 0:
-            return res
-        for guid in guids:
-            try:
-                name = self.con.guid_map[guid.lower()]
-                res = res.replace(guid, name)
-            except KeyError:
-                # Do not bother if the GUID is not found in
-                # cn=Schema or cn=Extended-Rights
-                pass
-        return res
-
     def fix_sid(self, ace):
         res = "%s" % ace
         sids = re.findall("S-[-0-9]+", res)
@@ -330,14 +299,6 @@ class Descriptor(object):
                 pass
         return res
 
-    def fixit(self, ace):
-        """ Combine all replacement methods in one
-        """
-        res = "%s" % ace
-        res = self.fix_guid(res)
-        res = self.fix_sid(res)
-        return res
-
     def diff_1(self, other):
         res = ""
         if len(self.dacl_list) != len(other.dacl_list):
@@ -361,8 +322,8 @@ class Descriptor(object):
                 other_ace = ""
             if len(self_ace) + len(other_ace) == 0:
                 break
-            self_ace_fixed = "%s" % self.fixit(self_ace)
-            other_ace_fixed = "%s" % other.fixit(other_ace)
+            self_ace_fixed = "%s" % self.fix_sid(self_ace)
+            other_ace_fixed = "%s" % other.fix_sid(other_ace)
             if self_ace_fixed != other_ace_fixed:
                 res += "%60s * %s\n" % ( self_ace_fixed, other_ace_fixed )
                 flag = False
@@ -383,8 +344,8 @@ class Descriptor(object):
         other_aces = []
         self_dacl_list_fixed = []
         other_dacl_list_fixed = []
-        [self_dacl_list_fixed.append( self.fixit(ace) ) for ace in self.dacl_list]
-        [other_dacl_list_fixed.append( other.fixit(ace) ) for ace in other.dacl_list]
+        [self_dacl_list_fixed.append( self.fix_sid(ace) ) for ace in self.dacl_list]
+        [other_dacl_list_fixed.append( other.fix_sid(ace) ) for ace in other.dacl_list]
         for ace in self_dacl_list_fixed:
             try:
                 other_dacl_list_fixed.index(ace)

selftest/knownfail

@@ -159,11 +159,9 @@
 ^samba4.rpc.lsa.forest.trust #Not fully provided by Samba4
 ^samba4.blackbox.kinit\(.*\).kinit with user password for expired password\(.*\) # We need to work out why this fails only during the pw change
 ^samba4.blackbox.dbcheck\(vampire_dc\).dbcheck\(vampire_dc:local\) # Due to replicating with --domain-critical-only we fail dbcheck on this database
-^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects and not getting the DC ACL right
-^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_full_sd\(none\) # Due to something rewriting the NT ACL on DNS objects and not getting the DC ACL right
-^samba4.blackbox.upgradeprovision.release-4-0-0.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects and not getting the DC ACL right
-^samba4.blackbox.upgradeprovision.release-4-0-0.ldapcmp_full_sd\(none\) # Due to something rewriting the NT ACL on DNS objects and not getting the DC ACL right
-^samba4.blackbox.dbcheck.release-4-0-0.ldapcmp_sd\(none\) # We do not yet know how to reset the DC ACL with dbcheck
+^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects
+^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_full_sd\(none\) # Due to something rewriting the NT ACL on DNS objects
+^samba4.blackbox.upgradeprovision.release-4-0-0.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects
 ^samba3.smb2.create.gentest
 ^samba3.smb2.create.blob
 ^samba3.smb2.create.open