samba_upgradeprovision: Do not reset every DN when changing an SD

SD propogation is handled by an LDB module, we do not need to touch each
and every DN to make it happen.

Now that we do not need to put this via a hash, the dnToRecalculate
list is changed to be a list of Dn objects, not strings so that:

if dn in listWellknown

is handled using a schema comparison (avoiding different case forms
tripping it up).

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>

source4/scripting/bin/samba_upgradeprovision

@@ -921,7 +921,7 @@ def checkKeepAttributeWithMetadata(delta, att, message, reference, current,
                                     " cames from the modification or from a previous bug")
                     dnNotToRecalculateFound = True
                 else:
-                    dnToRecalculate.append(str(dn))
+                    dnToRecalculate.append(dn)
                 continue
 
         if attrUSN == -1:
@@ -1282,11 +1282,12 @@ def fix_wellknown_sd(samdb, names):
              get_dns_domain_microsoft_dns_descriptor)
         subcontainers.append(c)
 
-    for [dn, descriptor_fn] in subcontainers:
+    for [strdn, descriptor_fn] in subcontainers:
+        dn = Dn(samdb, strdn)
         list_wellknown_dns.append(dn)
         if dn in dnToRecalculate:
             delta = Message()
-            delta.dn = Dn(samdb, str(dn))
+            delta.dn = dn
             descr = descriptor_fn(names.domainsid, name_map=names.name_map)
             delta["nTSecurityDescriptor"] = MessageElement(descr, FLAG_MOD_REPLACE,
                                                             "nTSecurityDescriptor" )
@@ -1311,30 +1312,16 @@ def rebuild_sd(samdb, names):
 
     listWellknown = fix_wellknown_sd(samdb, names)
 
-    hash = {}
-    for dn in dnToRecalculate:
-        if hash.has_key(dn):
-            continue
-            # fetch each dn to recalculate and their child within the same partition
-        res = samdb.search(expression="objectClass=*", base=dn,
-                           scope=SCOPE_SUBTREE, attrs=["dn", "whenCreated"])
-        for obj in res:
-            hash[str(obj["dn"])] = obj["whenCreated"]
-
-    listKeys = list(set(hash.keys()))
-    listKeys.sort(dn_sort)
-
     if len(dnToRecalculate) != 0:
         message(CHANGESD, "%d DNs have been marked as needed to be recalculated"
-                            ", recalculating %d due to inheritance"
-                            % (len(dnToRecalculate), len(listKeys)))
+                            % (len(dnToRecalculate)))
 
-    for key in listKeys:
+    for dn in dnToRecalculate:
         # well known SDs have already been reset
-        if key in listWellknown:
+        if dn in listWellknown:
             continue
         delta = Message()
-        delta.dn = Dn(samdb, key)
+        delta.dn = dn
         sd_flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_DACL | SECINFO_SACL
         try:
             descr = get_empty_descriptor(names.domainsid)
@@ -1840,7 +1827,6 @@ if __name__ == '__main__':
         message(SIMPLE, "Update machine account")
         update_machine_account_password(ldbs.sam, ldbs.secrets, names)
 
-        dnToRecalculate.sort(dn_sort)
         # 16) SD should be created with admin but as some previous acl were so wrong
         # that admin can't modify them we have first to recreate them with the good
         # form but with system account and then give the ownership to admin ...