sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-08-03 04:22:09 +03:00
Code Activity

s4 provision: move update_machine_account_password to helpers

Browse Source 
This is to allow reuse of this function and also unit tests

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Matthieu Patou
2010-07-04 16:38:54 +04:00
committed by Andrew Bartlett
parent ff93d58b60
commit fd2eb0dfd0
2 changed files with 51 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
source4/scripting/bin/upgradeprovision
View File

@ -43,20 +43,20 @@ from ldb import (SCOPE_SUBTREE, SCOPE_BASE,
MessageElement, Message, Dn) MessageElement, Message, Dn)
from samba import param from samba import param
from samba.provision import (find_setup_dir, get_domain_descriptor, from samba.provision import (find_setup_dir, get_domain_descriptor,
get_config_descriptor, secretsdb_self_join, get_config_descriptor,
ProvisioningError, get_last_provision_usn, ProvisioningError, get_last_provision_usn,
get_max_usn, update_provision_usn) get_max_usn, update_provision_usn)
from samba.schema import get_linked_attributes, Schema, get_schema_descriptor from samba.schema import get_linked_attributes, Schema, get_schema_descriptor
from samba.dcerpc import security, drsblobs from samba.dcerpc import security, drsblobs
from samba.ndr import ndr_unpack from samba.ndr import ndr_unpack
from samba.dcerpc.misc import SEC_CHAN_BDC
from samba.upgradehelpers import (dn_sort, get_paths, newprovision, from samba.upgradehelpers import (dn_sort, get_paths, newprovision,
find_provision_key_parameters, get_ldbs, find_provision_key_parameters, get_ldbs,
usn_in_range, identic_rename, get_diff_sddls, usn_in_range, identic_rename, get_diff_sddls,
update_secrets, CHANGE, ERROR, SIMPLE, update_secrets, CHANGE, ERROR, SIMPLE,
CHANGEALL, GUESS, CHANGESD, PROVISION, CHANGEALL, GUESS, CHANGESD, PROVISION,
updateOEMInfo, getOEMInfo, update_gpo, updateOEMInfo, getOEMInfo, update_gpo,
delta_update_basesamdb, update_policyids) delta_update_basesamdb, update_policyids,
update_machine_account_password)
replace=2**FLAG_MOD_REPLACE replace=2**FLAG_MOD_REPLACE
add=2**FLAG_MOD_ADD add=2**FLAG_MOD_ADD
@ -1185,48 +1185,6 @@ def update_samdb(ref_samdb, samdb, names, highestUSN, schema):
return 0 return 0
def update_machine_account_password(samdb, secrets_ldb, names):
"""Update (change) the password of the current DC both in the SAM db and in
secret one
:param samdb: An LDB object related to the sam.ldb file of a given provision
:param secrets_ldb: An LDB object related to the secrets.ldb file of a given
provision
:param names: List of key provision parameters"""
message(SIMPLE, "Update machine account")
expression = "samAccountName=%s$" % names.netbiosname
secrets_msg = secrets_ldb.search(expression=expression,
attrs=["secureChannelType"])
if int(secrets_msg[0]["secureChannelType"][0]) == SEC_CHAN_BDC:
res = samdb.search(expression=expression, attrs=[])
assert(len(res) == 1)
msg = Message(res[0].dn)
machinepass = samba.generate_random_password(128, 255)
msg["userPassword"] = MessageElement(machinepass, FLAG_MOD_REPLACE,
"userPassword")
samdb.modify(msg)
res = samdb.search(expression=("samAccountName=%s$" % names.netbiosname),
attrs=["msDs-keyVersionNumber"])
assert(len(res) == 1)
kvno = int(str(res[0]["msDs-keyVersionNumber"]))
secChanType = int(secrets_msg[0]["secureChannelType"][0])
secretsdb_self_join(secrets_ldb, domain=names.domain,
realm=names.realm or sambaopts._lp.get('realm'),
domainsid=names.domainsid,
dnsdomain=names.dnsdomain,
netbiosname=names.netbiosname,
machinepass=machinepass,
key_version_number=kvno,
secure_channel_type=secChanType)
else:
raise ProvisioningError("Unable to find a Secure Channel"
"of type SEC_CHAN_BDC")
def setup_path(file): def setup_path(file):
return os.path.join(setup_dir, file) return os.path.join(setup_dir, file)
@ -1455,14 +1413,14 @@ if __name__ == '__main__':
# 12) # 12)
schema = Schema(setup_path, names.domainsid, schemadn=str(names.schemadn), schema = Schema(setup_path, names.domainsid, schemadn=str(names.schemadn),
serverdn=str(names.serverdn)) serverdn=str(names.serverdn))
# 13) # 13)
if opts.full: if opts.full:
if not update_samdb(new_ldbs.sam, ldbs.sam, names, lastProvisionUSNs, if not update_samdb(new_ldbs.sam, ldbs.sam, names, lastProvisionUSNs,
schema): schema):
message(SIMPLE, "Rollbacking every changes. Check the reason" message(SIMPLE, "Rollbacking every changes. Check the reason"
" of the problem") " of the problem")
message(SIMPLE, "In any case your system as it was before" message(SIMPLE, "In any case your system as it was before"
" the upgrade") " the upgrade")
ldbs.groupedRollback() ldbs.groupedRollback()
new_ldbs.groupedRollback() new_ldbs.groupedRollback()
@ -1471,6 +1429,7 @@ if __name__ == '__main__':
# 14) # 14)
update_secrets(new_ldbs.secrets, ldbs.secrets, message) update_secrets(new_ldbs.secrets, ldbs.secrets, message)
# 15) # 15)
message(SIMPLE, "Update machine account")
update_machine_account_password(ldbs.sam, ldbs.secrets, names) update_machine_account_password(ldbs.sam, ldbs.secrets, names)
# 16) SD should be created with admin but as some previous acl were so wrong # 16) SD should be created with admin but as some previous acl were so wrong

45
source4/scripting/python/samba/upgradehelpers.py
View File

@ -35,8 +35,9 @@ import ldb
from samba.provision import (ProvisionNames, provision_paths_from_lp, from samba.provision import (ProvisionNames, provision_paths_from_lp,
getpolicypath, set_gpo_acl, create_gpo_struct, getpolicypath, set_gpo_acl, create_gpo_struct,
FILL_FULL, provision, ProvisioningError, FILL_FULL, provision, ProvisioningError,
setsysvolacl) setsysvolacl, secretsdb_self_join)
from samba.dcerpc import misc, security, xattr from samba.dcerpc import misc, security, xattr
from samba.dcerpc.misc import SEC_CHAN_BDC
from samba.ndr import ndr_unpack from samba.ndr import ndr_unpack
from samba.samdb import SamDB from samba.samdb import SamDB
@ -770,6 +771,48 @@ def construct_existor_expr(attrs):
expr = "%s)"%expr expr = "%s)"%expr
return expr return expr
def update_machine_account_password(samdb, secrets_ldb, names):
"""Update (change) the password of the current DC both in the SAM db and in
secret one
:param samdb: An LDB object related to the sam.ldb file of a given provision
:param secrets_ldb: An LDB object related to the secrets.ldb file of a given
provision
:param names: List of key provision parameters"""
expression = "samAccountName=%s$" % names.netbiosname
secrets_msg = secrets_ldb.search(expression=expression,
attrs=["secureChannelType"])
if int(secrets_msg[0]["secureChannelType"][0]) == SEC_CHAN_BDC:
res = samdb.search(expression=expression, attrs=[])
assert(len(res) == 1)
msg = ldb.Message(res[0].dn)
machinepass = samba.generate_random_password(128, 255)
msg["userPassword"] = ldb.MessageElement(machinepass,
ldb.FLAG_MOD_REPLACE,
"userPassword")
samdb.modify(msg)
res = samdb.search(expression=("samAccountName=%s$" % names.netbiosname),
attrs=["msDs-keyVersionNumber"])
assert(len(res) == 1)
kvno = int(str(res[0]["msDs-keyVersionNumber"]))
secChanType = int(secrets_msg[0]["secureChannelType"][0])
secretsdb_self_join(secrets_ldb, domain=names.domain,
realm=names.realm,
domainsid=names.domainsid,
dnsdomain=names.dnsdomain,
netbiosname=names.netbiosname,
machinepass=machinepass,
key_version_number=kvno,
secure_channel_type=secChanType)
else:
raise ProvisioningError("Unable to find a Secure Channel"
"of type SEC_CHAN_BDC")
def search_constructed_attrs_stored(samdb, rootdn, attrs): def search_constructed_attrs_stored(samdb, rootdn, attrs):
"""Search a given sam DB for calculated attributes that are """Search a given sam DB for calculated attributes that are
still stored in the db. still stored in the db.