mirror of
https://github.com/samba-team/samba.git
synced 2025-01-25 06:04:04 +03:00
765 lines
31 KiB
Python
Executable File
765 lines
31 KiB
Python
Executable File
#!/usr/bin/python
|
|
#
|
|
# Copyright (C) Matthieu Patou <mat@matws.net> 2009
|
|
#
|
|
# Based on provision a Samba4 server by
|
|
# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
|
|
# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008
|
|
#
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
import getopt
|
|
import shutil
|
|
import optparse
|
|
import os
|
|
import sys
|
|
import random
|
|
import string
|
|
import re
|
|
import tempfile
|
|
# Allow to run from s4 source directory (without installing samba)
|
|
sys.path.insert(0, "bin/python")
|
|
|
|
|
|
import samba
|
|
import samba.getopt as options
|
|
from samba.credentials import DONT_USE_KERBEROS
|
|
from samba.auth import system_session, admin_session
|
|
from samba import Ldb
|
|
from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE, LdbError,\
|
|
FLAG_MOD_REPLACE, FLAG_MOD_ADD, FLAG_MOD_DELETE,\
|
|
MessageElement, Message, Dn
|
|
from samba.samdb import SamDB
|
|
from samba import param
|
|
from samba import glue
|
|
from samba.misc import messageEltFlagToString
|
|
from samba.provision import find_setup_dir, get_domain_descriptor, get_config_descriptor, secretsdb_self_join
|
|
from samba.provisionexceptions import ProvisioningError
|
|
from samba.schema import get_dnsyntax_attributes, get_linked_attributes, Schema, get_schema_descriptor
|
|
from samba.dcerpc import misc, security
|
|
from samba.ndr import ndr_pack, ndr_unpack
|
|
from samba.dcerpc.misc import SEC_CHAN_BDC
|
|
from samba.upgradehelpers import dn_sort, get_paths, newprovision, find_provision_key_parameters, rmall
|
|
|
|
never=0
|
|
replace=2^FLAG_MOD_REPLACE
|
|
add=2^FLAG_MOD_ADD
|
|
delete=2^FLAG_MOD_DELETE
|
|
|
|
#Errors are always logged
|
|
ERROR = -1
|
|
SIMPLE = 0x00
|
|
CHANGE = 0x01
|
|
CHANGESD = 0x02
|
|
GUESS = 0x04
|
|
PROVISION = 0x08
|
|
CHANGEALL = 0xff
|
|
|
|
# Attributes that are never copied from the reference provision (even if they
|
|
# do not exist in the destination object).
|
|
# This is most probably because they are populated automatcally when object is
|
|
# created
|
|
# This also apply to imported object from reference provision
|
|
hashAttrNotCopied = { "dn": 1, "whenCreated": 1, "whenChanged": 1, "objectGUID": 1, "replPropertyMetaData": 1, "uSNChanged": 1,
|
|
"uSNCreated": 1, "parentGUID": 1, "objectCategory": 1, "distinguishedName": 1,
|
|
"showInAdvancedViewOnly": 1, "instanceType": 1, "cn": 1, "msDS-Behavior-Version":1, "nextRid":1,
|
|
"nTMixedDomain": 1, "versionNumber":1, "lmPwdHistory":1, "pwdLastSet": 1, "ntPwdHistory":1, "unicodePwd":1,
|
|
"dBCSPwd":1, "supplementalCredentials":1, "gPCUserExtensionNames":1, "gPCMachineExtensionNames":1,
|
|
"maxPwdAge":1, "mail":1, "secret":1, "possibleInferiors":1, "sAMAccountType":1}
|
|
|
|
# Usually for an object that already exists we do not overwrite attributes as
|
|
# they might have been changed for good reasons. Anyway for a few of them it's
|
|
# mandatory to replace them otherwise the provision will be broken somehow.
|
|
hashOverwrittenAtt = { "prefixMap": replace, "systemMayContain": replace, "systemOnly":replace, "searchFlags":replace,
|
|
"mayContain":replace, "systemFlags":replace, "description":replace,
|
|
"oEMInformation":replace, "operatingSystemVersion":replace, "adminPropertyPages":replace,
|
|
"defaultSecurityDescriptor": replace, "wellKnownObjects":replace, "privilege":delete, "groupType":replace,
|
|
"rIDAvailablePool": never}
|
|
|
|
|
|
backlinked = []
|
|
dn_syntax_att = []
|
|
def define_what_to_log(opts):
|
|
what = 0
|
|
if opts.debugchange:
|
|
what = what | CHANGE
|
|
if opts.debugchangesd:
|
|
what = what | CHANGESD
|
|
if opts.debugguess:
|
|
what = what | GUESS
|
|
if opts.debugprovision:
|
|
what = what | PROVISION
|
|
if opts.debugall:
|
|
what = what | CHANGEALL
|
|
return what
|
|
|
|
|
|
parser = optparse.OptionParser("provision [options]")
|
|
sambaopts = options.SambaOptions(parser)
|
|
parser.add_option_group(sambaopts)
|
|
parser.add_option_group(options.VersionOptions(parser))
|
|
credopts = options.CredentialsOptions(parser)
|
|
parser.add_option_group(credopts)
|
|
parser.add_option("--setupdir", type="string", metavar="DIR",
|
|
help="directory with setup files")
|
|
parser.add_option("--debugprovision", help="Debug provision", action="store_true")
|
|
parser.add_option("--debugguess", help="Print information on what is different but won't be changed", action="store_true")
|
|
parser.add_option("--debugchange", help="Print information on what is different but won't be changed", action="store_true")
|
|
parser.add_option("--debugchangesd", help="Print information security descriptors differences", action="store_true")
|
|
parser.add_option("--debugall", help="Print all available information (very verbose)", action="store_true")
|
|
parser.add_option("--full", help="Perform full upgrade of the samdb (schema, configuration, new objects, ...", action="store_true")
|
|
|
|
opts = parser.parse_args()[0]
|
|
|
|
whatToLog = define_what_to_log(opts)
|
|
|
|
def messageprovision(text):
|
|
"""print a message if quiet is not set."""
|
|
if opts.debugprovision or opts.debugall:
|
|
print text
|
|
|
|
def message(what,text):
|
|
"""print a message if quiet is not set."""
|
|
if (whatToLog & what) or (what <= 0 ):
|
|
print text
|
|
|
|
if len(sys.argv) == 1:
|
|
opts.interactive = True
|
|
lp = sambaopts.get_loadparm()
|
|
smbconf = lp.configfile
|
|
|
|
creds = credopts.get_credentials(lp)
|
|
creds.set_kerberos_state(DONT_USE_KERBEROS)
|
|
setup_dir = opts.setupdir
|
|
if setup_dir is None:
|
|
setup_dir = find_setup_dir()
|
|
|
|
session = system_session()
|
|
|
|
# simple helper to allow back and forth rename
|
|
def identic_rename(ldbobj,dn):
|
|
(before,sep,after)=str(dn).partition('=')
|
|
ldbobj.rename(dn,Dn(ldbobj,"%s=foo%s"%(before,after)))
|
|
ldbobj.rename(Dn(ldbobj,"%s=foo%s"%(before,after)),dn)
|
|
|
|
# Create an array of backlinked attributes
|
|
def populate_backlink(newpaths,creds,session,schemadn):
|
|
newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp)
|
|
linkedAttHash = get_linked_attributes(Dn(newsam_ldb,str(schemadn)),newsam_ldb)
|
|
backlinked.extend(linkedAttHash.values())
|
|
|
|
# Create an array of attributes with a dn synthax (2.5.5.1)
|
|
def populate_dnsyntax(newpaths,creds,session,schemadn):
|
|
newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp)
|
|
res = newsam_ldb.search(expression="(attributeSyntax=2.5.5.1)",base=Dn(newsam_ldb,str(schemadn)),
|
|
scope=SCOPE_SUBTREE, attrs=["lDAPDisplayName"])
|
|
for elem in res:
|
|
dn_syntax_att.append(elem["lDAPDisplayName"])
|
|
|
|
|
|
|
|
def sanitychecks(credentials,session_info,names,paths):
|
|
sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp,options=["modules:samba_dsdb"])
|
|
# First update the SD for the rootdn
|
|
sam_ldb.set_session_info(session)
|
|
res = sam_ldb.search(expression="objectClass=ntdsdsa",base=str(names.configdn),
|
|
scope=SCOPE_SUBTREE,attrs=["dn"],controls=["search_options:1:2"])
|
|
if len(res) == 0:
|
|
print "No DC found, your provision is most probalby hardly broken !"
|
|
return 0
|
|
elif len(res) != 1:
|
|
print "Found %d domain controllers, for the moment upgradeprovision is not able to handle upgrade on \
|
|
domain with more than one DC, please demote the other(s) DC(s) before upgrading"%len(res)
|
|
return 0
|
|
else:
|
|
return 1
|
|
|
|
|
|
# Debug a little bit
|
|
def print_provision_key_parameters(names):
|
|
message(GUESS, "rootdn :"+str(names.rootdn))
|
|
message(GUESS, "configdn :"+str(names.configdn))
|
|
message(GUESS, "schemadn :"+str(names.schemadn))
|
|
message(GUESS, "serverdn :"+str(names.serverdn))
|
|
message(GUESS, "netbiosname :"+names.netbiosname)
|
|
message(GUESS, "defaultsite :"+names.sitename)
|
|
message(GUESS, "dnsdomain :"+names.dnsdomain)
|
|
message(GUESS, "hostname :"+names.hostname)
|
|
message(GUESS, "domain :"+names.domain)
|
|
message(GUESS, "realm :"+names.realm)
|
|
message(GUESS, "invocationid:"+names.invocation)
|
|
message(GUESS, "policyguid :"+names.policyid)
|
|
message(GUESS, "policyguiddc:"+str(names.policyid_dc))
|
|
message(GUESS, "domainsid :"+str(names.domainsid))
|
|
message(GUESS, "domainguid :"+names.domainguid)
|
|
message(GUESS, "ntdsguid :"+names.ntdsguid)
|
|
message(GUESS, "domainlevel :"+str(names.domainlevel))
|
|
|
|
# Check for security descriptors modifications return 1 if it is and 0 otherwise
|
|
# it also populate hash structure for later use in the upgrade process
|
|
def handle_security_desc(ischema, att, msgElt, hashallSD, old, new):
|
|
if ischema == 1 and att == "defaultSecurityDescriptor" and msgElt.flags() == FLAG_MOD_REPLACE:
|
|
hashSD = {}
|
|
hashSD["oldSD"] = old[0][att]
|
|
hashSD["newSD"] = new[0][att]
|
|
hashallSD[str(old[0].dn)] = hashSD
|
|
return 1
|
|
if att == "nTSecurityDescriptor" and msgElt.flags() == FLAG_MOD_REPLACE:
|
|
if ischema == 0:
|
|
hashSD = {}
|
|
hashSD["oldSD"] = ndr_unpack(security.descriptor, str(old[0][att]))
|
|
hashSD["newSD"] = ndr_unpack(security.descriptor, str(new[0][att]))
|
|
hashallSD[str(old[0].dn)] = hashSD
|
|
return 0
|
|
return 0
|
|
|
|
# Handle special cases ... That's when we want to update a particular attribute
|
|
# only, e.g. if it has a certain value or if it's for a certain object or
|
|
# a class of object.
|
|
# It can be also if we want to do a merge of value instead of a simple replace
|
|
def handle_special_case(att, delta, new, old, ischema):
|
|
flag = delta.get(att).flags()
|
|
if (att == "gPLink" or att == "gPCFileSysPath") and \
|
|
flag == FLAG_MOD_REPLACE and str(new[0].dn).lower() == str(old[0].dn).lower():
|
|
delta.remove(att)
|
|
return 1
|
|
if att == "forceLogoff":
|
|
ref=0x8000000000000000
|
|
oldval=int(old[0][att][0])
|
|
newval=int(new[0][att][0])
|
|
ref == old and ref == abs(new)
|
|
return 1
|
|
if (att == "adminDisplayName" or att == "adminDescription") and ischema:
|
|
return 1
|
|
|
|
if (str(old[0].dn) == "CN=Samba4-Local-Domain,%s"%(str(names.schemadn))\
|
|
and att == "defaultObjectCategory" and flag == FLAG_MOD_REPLACE):
|
|
return 1
|
|
|
|
if (str(old[0].dn) == "CN=Title,%s"%(str(names.schemadn)) and att == "rangeUpper" and flag == FLAG_MOD_REPLACE):
|
|
return 1
|
|
|
|
if ( (att == "member" or att == "servicePrincipalName") and flag == FLAG_MOD_REPLACE):
|
|
hash = {}
|
|
newval = []
|
|
changeDelta=0
|
|
for elem in old[0][att]:
|
|
hash[str(elem)]=1
|
|
newval.append(str(elem))
|
|
|
|
for elem in new[0][att]:
|
|
if not hash.has_key(str(elem)):
|
|
changeDelta=1
|
|
newval.append(str(elem))
|
|
if changeDelta == 1:
|
|
delta[att] = MessageElement(newval, FLAG_MOD_REPLACE, att)
|
|
else:
|
|
delta.remove(att)
|
|
return 1
|
|
|
|
if (str(old[0].dn) == "%s"%(str(names.rootdn)) and att == "subRefs" and flag == FLAG_MOD_REPLACE):
|
|
return 1
|
|
if str(delta.dn).endswith("CN=DisplaySpecifiers,%s"%names.configdn):
|
|
return 1
|
|
return 0
|
|
|
|
def update_secrets(newpaths, paths, creds, session):
|
|
message(SIMPLE,"update secrets.ldb")
|
|
newsecrets_ldb = Ldb(newpaths.secrets, session_info=session, credentials=creds,lp=lp)
|
|
secrets_ldb = Ldb(paths.secrets, session_info=session, credentials=creds,lp=lp, options=["modules:samba_secrets"])
|
|
reference = newsecrets_ldb.search(expression="dn=@MODULES",base="", scope=SCOPE_SUBTREE)
|
|
current = secrets_ldb.search(expression="dn=@MODULES",base="", scope=SCOPE_SUBTREE)
|
|
delta = secrets_ldb.msg_diff(current[0],reference[0])
|
|
delta.dn = current[0].dn
|
|
secrets_ldb.modify(delta)
|
|
|
|
newsecrets_ldb = Ldb(newpaths.secrets, session_info=session, credentials=creds,lp=lp)
|
|
secrets_ldb = Ldb(paths.secrets, session_info=session, credentials=creds,lp=lp)
|
|
reference = newsecrets_ldb.search(expression="objectClass=top",base="", scope=SCOPE_SUBTREE,attrs=["dn"])
|
|
current = secrets_ldb.search(expression="objectClass=top",base="", scope=SCOPE_SUBTREE,attrs=["dn"])
|
|
hash_new = {}
|
|
hash = {}
|
|
listMissing = []
|
|
listPresent = []
|
|
|
|
empty = Message()
|
|
for i in range(0,len(reference)):
|
|
hash_new[str(reference[i]["dn"]).lower()] = reference[i]["dn"]
|
|
|
|
# Create a hash for speeding the search of existing object in the
|
|
# current provision
|
|
for i in range(0,len(current)):
|
|
hash[str(current[i]["dn"]).lower()] = current[i]["dn"]
|
|
|
|
for k in hash_new.keys():
|
|
if not hash.has_key(k):
|
|
listMissing.append(hash_new[k])
|
|
else:
|
|
listPresent.append(hash_new[k])
|
|
for entry in listMissing:
|
|
reference = newsecrets_ldb.search(expression="dn=%s"%entry,base="", scope=SCOPE_SUBTREE)
|
|
current = secrets_ldb.search(expression="dn=%s"%entry,base="", scope=SCOPE_SUBTREE)
|
|
delta = secrets_ldb.msg_diff(empty,reference[0])
|
|
for att in hashAttrNotCopied.keys():
|
|
delta.remove(att)
|
|
message(CHANGE,"Entry %s is missing from secrets.ldb"%reference[0].dn)
|
|
for att in delta:
|
|
message(CHANGE," Adding attribute %s"%att)
|
|
delta.dn = reference[0].dn
|
|
secrets_ldb.add(delta)
|
|
|
|
for entry in listPresent:
|
|
reference = newsecrets_ldb.search(expression="dn=%s"%entry,base="", scope=SCOPE_SUBTREE)
|
|
current = secrets_ldb.search(expression="dn=%s"%entry,base="", scope=SCOPE_SUBTREE)
|
|
delta = secrets_ldb.msg_diff(current[0],reference[0])
|
|
i=0
|
|
for att in hashAttrNotCopied.keys():
|
|
delta.remove(att)
|
|
for att in delta:
|
|
i = i + 1
|
|
|
|
if att == "name":
|
|
message(CHANGE,"Found attribute name on %s, must rename the DN "%(current[0].dn))
|
|
identic_rename(secrets_ldb,reference[0].dn)
|
|
else:
|
|
delta.remove(att)
|
|
|
|
for entry in listPresent:
|
|
reference = newsecrets_ldb.search(expression="dn=%s"%entry,base="", scope=SCOPE_SUBTREE)
|
|
current = secrets_ldb.search(expression="dn=%s"%entry,base="", scope=SCOPE_SUBTREE)
|
|
delta = secrets_ldb.msg_diff(current[0],reference[0])
|
|
i=0
|
|
for att in hashAttrNotCopied.keys():
|
|
delta.remove(att)
|
|
for att in delta:
|
|
i = i + 1
|
|
if att != "dn":
|
|
message(CHANGE," Adding/Changing attribute %s to %s"%(att,current[0].dn))
|
|
|
|
delta.dn = current[0].dn
|
|
secrets_ldb.modify(delta)
|
|
|
|
def dump_denied_change(dn,att,flagtxt,current,reference):
|
|
message(CHANGE, "dn= "+str(dn)+" "+att+" with flag "+flagtxt+" is not allowed to be changed/removed, I discard this change ...")
|
|
if att != "objectSid" :
|
|
i = 0
|
|
for e in range(0,len(current)):
|
|
message(CHANGE,"old %d : %s"%(i,str(current[e])))
|
|
i=i+1
|
|
if reference != None:
|
|
i = 0
|
|
for e in range(0,len(reference)):
|
|
message(CHANGE,"new %d : %s"%(i,str(reference[e])))
|
|
i=i+1
|
|
else:
|
|
message(CHANGE,"old : %s"%str(ndr_unpack( security.dom_sid,current[0])))
|
|
message(CHANGE,"new : %s"%str(ndr_unpack( security.dom_sid,reference[0])))
|
|
|
|
#This function is for doing case by case treatment on special object
|
|
|
|
def handle_special_add(sam_ldb,dn,names):
|
|
dntoremove=None
|
|
if str(dn).lower() == ("CN=Certificate Service DCOM Access,CN=Builtin,%s"%names.rootdn).lower():
|
|
#This entry was misplaced lets remove it if it exists
|
|
dntoremove="CN=Certificate Service DCOM Access,CN=Users,%s"%names.rootdn
|
|
|
|
if str(dn).lower() == ("CN=Cryptographic Operators,CN=Builtin,%s"%names.rootdn).lower():
|
|
#This entry was misplaced lets remove it if it exists
|
|
dntoremove="CN=Cryptographic Operators,CN=Users,%s"%names.rootdn
|
|
|
|
if str(dn).lower() == ("CN=Event Log Readers,CN=Builtin,%s"%names.rootdn).lower():
|
|
#This entry was misplaced lets remove it if it exists
|
|
dntoremove="CN=Event Log Readers,CN=Users,%s"%names.rootdn
|
|
|
|
if dntoremove != None:
|
|
res = sam_ldb.search(expression="objectClass=*",base=dntoremove, scope=SCOPE_BASE,attrs=["dn"],controls=["search_options:1:2"])
|
|
if len(res) > 0:
|
|
message(CHANGE,"Existing object %s must be replaced by %s, removing old object"%(dntoremove,str(dn)))
|
|
sam_ldb.delete(res[0]["dn"])
|
|
|
|
#Check if the one of the dn in the listdn will be created after the current dn
|
|
#hash is indexed by dn to be created, with each key is associated the creation order
|
|
#First dn to be created has the creation order 0, second has 1, ...
|
|
#Index contain the current creation order
|
|
def check_dn_nottobecreated(hash,index,listdn):
|
|
if listdn == None:
|
|
return None
|
|
for dn in listdn:
|
|
key = str(dn).lower()
|
|
if hash.has_key(key) and hash[key] > index:
|
|
return str(dn)
|
|
return None
|
|
|
|
#This function tries to add the missing object "dn" if this object depends on some others
|
|
# the function returns 0, if the object was created 1 is returned
|
|
def add_missing_object(newsam_ldb, sam_ldb, dn, names, basedn, hash, index):
|
|
handle_special_add(sam_ldb,dn,names)
|
|
reference = newsam_ldb.search(expression="dn=%s"%(str(dn)),base=basedn,
|
|
scope=SCOPE_SUBTREE,controls=["search_options:1:2"])
|
|
empty = Message()
|
|
delta = sam_ldb.msg_diff(empty,reference[0])
|
|
for att in hashAttrNotCopied.keys():
|
|
delta.remove(att)
|
|
for att in backlinked:
|
|
delta.remove(att)
|
|
depend_on_yettobecreated = None
|
|
for att in dn_syntax_att:
|
|
depend_on_yet_tobecreated = check_dn_nottobecreated(hash,index,delta.get(str(att)))
|
|
if depend_on_yet_tobecreated != None:
|
|
message(CHANGE,"Object %s depends on %s in attribute %s, delaying the creation"
|
|
%(str(dn),depend_on_yet_tobecreated,str(att)))
|
|
return 0
|
|
delta.dn = dn
|
|
message(CHANGE,"Object %s will be added"%dn)
|
|
sam_ldb.add(delta,["relax:0"])
|
|
return 1
|
|
|
|
def gen_dn_index_hash(listMissing):
|
|
hash = {}
|
|
for i in range(0,len(listMissing)):
|
|
hash[str(listMissing[i]).lower()] = i
|
|
return hash
|
|
|
|
def add_missing_entries(newsam_ldb, sam_ldb, names, basedn,list):
|
|
listMissing = []
|
|
listDefered = list
|
|
|
|
while(len(listDefered) != len(listMissing) and len(listDefered) > 0):
|
|
index = 0
|
|
listMissing = listDefered
|
|
listDefered = []
|
|
hashMissing = gen_dn_index_hash(listMissing)
|
|
for dn in listMissing:
|
|
ret = add_missing_object(newsam_ldb,sam_ldb,dn,names,basedn,hashMissing,index)
|
|
index = index + 1
|
|
if ret == 0:
|
|
#DN can't be created because it depends on some other DN in the list
|
|
listDefered.append(dn)
|
|
if len(listDefered) != 0:
|
|
raise ProvisioningError("Unable to insert missing elements: circular references")
|
|
|
|
|
|
|
|
|
|
# Check difference between the current provision and the reference provision.
|
|
# It looks for all objects which base DN is name. If ischema is "false" then
|
|
# the scan is done in cross partition mode.
|
|
# If "ischema" is true, then special handling is done for dealing with schema
|
|
def check_diff_name(newpaths, paths, creds, session, basedn, names, ischema):
|
|
hash_new = {}
|
|
hash = {}
|
|
hashallSD = {}
|
|
listMissing = []
|
|
listPresent = []
|
|
reference = []
|
|
current = []
|
|
# Connect to the reference provision and get all the attribute in the
|
|
# partition referred by name
|
|
newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp)
|
|
sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp, options=["modules:samba_dsdb"])
|
|
sam_ldb.transaction_start()
|
|
if ischema:
|
|
reference = newsam_ldb.search(expression="objectClass=*",base=basedn, scope=SCOPE_SUBTREE,attrs=["dn"])
|
|
current = sam_ldb.search(expression="objectClass=*",base=basedn, scope=SCOPE_SUBTREE,attrs=["dn"])
|
|
else:
|
|
reference = newsam_ldb.search(expression="objectClass=*",base=basedn, scope=SCOPE_SUBTREE,attrs=["dn"],controls=["search_options:1:2"])
|
|
current = sam_ldb.search(expression="objectClass=*",base=basedn, scope=SCOPE_SUBTREE,attrs=["dn"],controls=["search_options:1:2"])
|
|
|
|
sam_ldb.transaction_commit()
|
|
# Create a hash for speeding the search of new object
|
|
for i in range(0,len(reference)):
|
|
hash_new[str(reference[i]["dn"]).lower()] = reference[i]["dn"]
|
|
|
|
# Create a hash for speeding the search of existing object in the
|
|
# current provision
|
|
for i in range(0,len(current)):
|
|
hash[str(current[i]["dn"]).lower()] = current[i]["dn"]
|
|
|
|
for k in hash_new.keys():
|
|
if not hash.has_key(k):
|
|
print hash_new[k]
|
|
listMissing.append(hash_new[k])
|
|
else:
|
|
listPresent.append(hash_new[k])
|
|
|
|
# Sort the missing object in order to have object of the lowest level
|
|
# first (which can be containers for higher level objects)
|
|
listMissing.sort(dn_sort)
|
|
listPresent.sort(dn_sort)
|
|
|
|
if ischema:
|
|
# The following lines (up to the for loop) is to load the up to
|
|
# date schema into our current LDB
|
|
# a complete schema is needed as the insertion of attributes
|
|
# and class is done against it
|
|
# and the schema is self validated
|
|
# The double ldb open and schema validation is taken from the
|
|
# initial provision script
|
|
# it's not certain that it is really needed ....
|
|
sam_ldb = Ldb(session_info=session, credentials=creds, lp=lp)
|
|
schema = Schema(setup_path, names.domainsid, schemadn=basedn, serverdn=str(names.serverdn))
|
|
# Load the schema from the one we computed earlier
|
|
sam_ldb.set_schema_from_ldb(schema.ldb)
|
|
# And now we can connect to the DB - the schema won't be loaded
|
|
# from the DB
|
|
sam_ldb.connect(paths.samdb)
|
|
else:
|
|
sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp, options=["modules:samba_dsdb"])
|
|
|
|
sam_ldb.transaction_start()
|
|
|
|
message(SIMPLE,"There are %d missing objects"%(len(listMissing)))
|
|
add_missing_entries(newsam_ldb,sam_ldb,names,basedn,listMissing)
|
|
changed = 0
|
|
for dn in listPresent:
|
|
reference = newsam_ldb.search(expression="dn=%s"%(str(dn)),base=basedn, scope=SCOPE_SUBTREE,controls=["search_options:1:2"])
|
|
current = sam_ldb.search(expression="dn=%s"%(str(dn)),base=basedn, scope=SCOPE_SUBTREE,controls=["search_options:1:2"])
|
|
if ((str(current[0].dn) != str(reference[0].dn)) and (str(current[0].dn).upper() == str(reference[0].dn).upper())):
|
|
message(CHANGE,"Name are the same but case change, let's rename %s to %s"%(str(current[0].dn),str(reference[0].dn)))
|
|
identic_rename(sam_ldb,reference[0].dn)
|
|
current = sam_ldb.search(expression="dn=%s"%(str(dn)),base=basedn, scope=SCOPE_SUBTREE,controls=["search_options:1:2"])
|
|
|
|
delta = sam_ldb.msg_diff(current[0],reference[0])
|
|
for att in hashAttrNotCopied.keys():
|
|
delta.remove(att)
|
|
for att in backlinked:
|
|
delta.remove(att)
|
|
delta.remove("parentGUID")
|
|
nb = 0
|
|
|
|
for att in delta:
|
|
msgElt = delta.get(att)
|
|
if att == "dn":
|
|
continue
|
|
if att == "name":
|
|
delta.remove(att)
|
|
continue
|
|
if handle_security_desc(ischema,att,msgElt,hashallSD,current,reference) == 0:
|
|
delta.remove(att)
|
|
continue
|
|
if (not hashOverwrittenAtt.has_key(att) or not (hashOverwrittenAtt.get(att)&2^msgElt.flags())):
|
|
if hashOverwrittenAtt.has_key(att) and hashOverwrittenAtt.get(att)==never:
|
|
delta.remove(att)
|
|
continue
|
|
if handle_special_case(att,delta,reference,current,ischema)==0 and msgElt.flags()!=FLAG_MOD_ADD:
|
|
i = 0
|
|
if opts.debugchange or opts.debugall:
|
|
try:
|
|
dump_denied_change(dn,att,messageEltFlagToString(msgElt.flags()),current[0][att],reference[0][att])
|
|
except:
|
|
dump_denied_change(dn,att,messageEltFlagToString(msgElt.flags()),current[0][att],None)
|
|
delta.remove(att)
|
|
delta.dn = dn
|
|
if len(delta.items()) >1:
|
|
attributes=",".join(delta.keys())
|
|
message(CHANGE,"%s is different from the reference one, changed attributes: %s"%(dn,attributes))
|
|
changed = changed + 1
|
|
sam_ldb.modify(delta)
|
|
|
|
sam_ldb.transaction_commit()
|
|
message(SIMPLE,"There are %d changed objects"%(changed))
|
|
return hashallSD
|
|
|
|
# Check that SD are correct
|
|
def check_updated_sd(newpaths, paths, creds, session, names):
|
|
newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp)
|
|
sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp)
|
|
reference = newsam_ldb.search(expression="objectClass=*",base=str(names.rootdn), scope=SCOPE_SUBTREE,attrs=["dn","nTSecurityDescriptor"],controls=["search_options:1:2"])
|
|
current = sam_ldb.search(expression="objectClass=*",base=str(names.rootdn), scope=SCOPE_SUBTREE,attrs=["dn","nTSecurityDescriptor"],controls=["search_options:1:2"])
|
|
hash_new = {}
|
|
for i in range(0,len(reference)):
|
|
hash_new[str(reference[i]["dn"]).lower()] = ndr_unpack(security.descriptor,str(reference[i]["nTSecurityDescriptor"])).as_sddl(names.domainsid)
|
|
|
|
for i in range(0,len(current)):
|
|
key = str(current[i]["dn"]).lower()
|
|
if hash_new.has_key(key):
|
|
sddl = ndr_unpack(security.descriptor,str(current[i]["nTSecurityDescriptor"])).as_sddl(names.domainsid)
|
|
if sddl != hash_new[key]:
|
|
print "%s new sddl/sddl in ref"%key
|
|
print "%s\n%s"%(sddl,hash_new[key])
|
|
|
|
# Simple update method for updating the SD that rely on the fact that nobody
|
|
# should have modified the SD
|
|
# This assumption is safe right now (alpha9) but should be removed asap
|
|
def update_sd(paths, creds, session, names):
|
|
sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp,options=["modules:samba_dsdb"])
|
|
sam_ldb.transaction_start()
|
|
# First update the SD for the rootdn
|
|
sam_ldb.set_session_info(session)
|
|
res = sam_ldb.search(expression="objectClass=*", base=str(names.rootdn), scope=SCOPE_BASE,\
|
|
attrs=["dn", "whenCreated"], controls=["search_options:1:2"])
|
|
delta = Message()
|
|
delta.dn = Dn(sam_ldb,str(res[0]["dn"]))
|
|
descr = get_domain_descriptor(names.domainsid)
|
|
delta["nTSecurityDescriptor"] = MessageElement(descr, FLAG_MOD_REPLACE, "nTSecurityDescriptor")
|
|
sam_ldb.modify(delta,["recalculate_sd:0"])
|
|
# Then the config dn
|
|
res = sam_ldb.search(expression="objectClass=*",base=str(names.configdn), scope=SCOPE_BASE,attrs=["dn","whenCreated"],controls=["search_options:1:2"])
|
|
delta = Message()
|
|
delta.dn = Dn(sam_ldb,str(res[0]["dn"]))
|
|
descr = get_config_descriptor(names.domainsid)
|
|
delta["nTSecurityDescriptor"] = MessageElement( descr,FLAG_MOD_REPLACE,"nTSecurityDescriptor" )
|
|
sam_ldb.modify(delta,["recalculate_sd:0"])
|
|
# Then the schema dn
|
|
res = sam_ldb.search(expression="objectClass=*",base=str(names.schemadn), scope=SCOPE_BASE,attrs=["dn","whenCreated"],controls=["search_options:1:2"])
|
|
delta = Message()
|
|
delta.dn = Dn(sam_ldb,str(res[0]["dn"]))
|
|
descr = get_schema_descriptor(names.domainsid)
|
|
delta["nTSecurityDescriptor"] = MessageElement( descr,FLAG_MOD_REPLACE,"nTSecurityDescriptor" )
|
|
sam_ldb.modify(delta,["recalculate_sd:0"])
|
|
|
|
# Then the rest
|
|
hash = {}
|
|
res = sam_ldb.search(expression="objectClass=*",base=str(names.rootdn), scope=SCOPE_SUBTREE,attrs=["dn","whenCreated"],controls=["search_options:1:2"])
|
|
for obj in res:
|
|
if not (str(obj["dn"]) == str(names.rootdn) or
|
|
str(obj["dn"]) == str(names.configdn) or \
|
|
str(obj["dn"]) == str(names.schemadn)):
|
|
hash[str(obj["dn"])] = obj["whenCreated"]
|
|
|
|
listkeys = hash.keys()
|
|
listkeys.sort(dn_sort)
|
|
|
|
for key in listkeys:
|
|
try:
|
|
delta = Message()
|
|
delta.dn = Dn(sam_ldb,key)
|
|
delta["whenCreated"] = MessageElement( hash[key],FLAG_MOD_REPLACE,"whenCreated" )
|
|
sam_ldb.modify(delta,["recalculate_sd:0"])
|
|
except:
|
|
sam_ldb.transaction_cancel()
|
|
res = sam_ldb.search(expression="objectClass=*", base=str(names.rootdn), scope=SCOPE_SUBTREE,\
|
|
attrs=["dn","nTSecurityDescriptor"], controls=["search_options:1:2"])
|
|
print "bad stuff" +ndr_unpack(security.descriptor,str(res[0]["nTSecurityDescriptor"])).as_sddl(names.domainsid)
|
|
return
|
|
sam_ldb.transaction_commit()
|
|
|
|
|
|
def update_basesamdb(newpaths, paths, names):
|
|
message(SIMPLE,"Copy samdb")
|
|
shutil.copy(newpaths.samdb,paths.samdb)
|
|
|
|
message(SIMPLE,"Update partitions filename if needed")
|
|
schemaldb=os.path.join(paths.private_dir,"schema.ldb")
|
|
configldb=os.path.join(paths.private_dir,"configuration.ldb")
|
|
usersldb=os.path.join(paths.private_dir,"users.ldb")
|
|
samldbdir=os.path.join(paths.private_dir,"sam.ldb.d")
|
|
|
|
if not os.path.isdir(samldbdir):
|
|
os.mkdir(samldbdir)
|
|
os.chmod(samldbdir,0700)
|
|
if os.path.isfile(schemaldb):
|
|
shutil.copy(schemaldb,os.path.join(samldbdir,"%s.ldb"%str(names.schemadn).upper()))
|
|
os.remove(schemaldb)
|
|
if os.path.isfile(usersldb):
|
|
shutil.copy(usersldb,os.path.join(samldbdir,"%s.ldb"%str(names.rootdn).upper()))
|
|
os.remove(usersldb)
|
|
if os.path.isfile(configldb):
|
|
shutil.copy(configldb,os.path.join(samldbdir,"%s.ldb"%str(names.configdn).upper()))
|
|
os.remove(configldb)
|
|
|
|
def update_privilege(newpaths, paths):
|
|
message(SIMPLE,"Copy privilege")
|
|
shutil.copy(os.path.join(newpaths.private_dir,"privilege.ldb"),os.path.join(paths.private_dir,"privilege.ldb"))
|
|
|
|
# For each partition check the differences
|
|
def update_samdb(newpaths, paths, creds, session, names):
|
|
|
|
message(SIMPLE, "Doing schema update")
|
|
hashdef = check_diff_name(newpaths,paths,creds,session,str(names.schemadn),names,1)
|
|
message(SIMPLE,"Done with schema update")
|
|
message(SIMPLE,"Scanning whole provision for updates and additions")
|
|
hashSD = check_diff_name(newpaths,paths,creds,session,str(names.rootdn),names,0)
|
|
message(SIMPLE,"Done with scanning")
|
|
|
|
def update_machine_account_password(paths, creds, session, names):
|
|
secrets_ldb = Ldb(paths.secrets, session_info=session, credentials=creds,lp=lp)
|
|
secrets_ldb.transaction_start()
|
|
secrets_msg = secrets_ldb.search(expression=("samAccountName=%s$" % names.netbiosname), attrs=["secureChannelType"])
|
|
sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp)
|
|
sam_ldb.transaction_start()
|
|
if int(secrets_msg[0]["secureChannelType"][0]) == SEC_CHAN_BDC:
|
|
res = sam_ldb.search(expression=("samAccountName=%s$" % names.netbiosname), attrs=[])
|
|
assert(len(res) == 1)
|
|
|
|
msg = ldb.Message(res[0].dn)
|
|
machinepass = glue.generate_random_password(128, 255)
|
|
msg["userPassword"] = ldb.MessageElement(machinepass, ldb.FLAG_MOD_REPLACE, "userPassword")
|
|
sam_ldb.modify(msg)
|
|
|
|
res = sam_ldb.search(expression=("samAccountName=%s$" % names.netbiosname),
|
|
attrs=["msDs-keyVersionNumber"])
|
|
assert(len(res) == 1)
|
|
kvno = int(str(res[0]["msDs-keyVersionNumber"]))
|
|
|
|
secretsdb_self_join(secrets_ldb, domain=names.domain,
|
|
realm=names.realm,
|
|
domainsid=names.domainsid,
|
|
dnsdomain=names.dnsdomain,
|
|
netbiosname=names.netbiosname,
|
|
machinepass=machinepass,
|
|
key_version_number=kvno,
|
|
secure_channel_type=int(secrets_msg[0]["secureChannelType"][0]))
|
|
sam_ldb.transaction_prepare_commit()
|
|
secrets_ldb.transaction_prepare_commit()
|
|
sam_ldb.transaction_commit()
|
|
secrets_ldb.transaction_commit()
|
|
else:
|
|
secrets_ldb.transaction_cancel()
|
|
|
|
def setup_path(file):
|
|
return os.path.join(setup_dir, file)
|
|
|
|
# From here start the big steps of the program
|
|
# First get files paths
|
|
paths=get_paths(param,smbconf=smbconf)
|
|
paths.setup = setup_dir
|
|
# Guess all the needed names (variables in fact) from the current
|
|
# provision.
|
|
|
|
names = find_provision_key_parameters(param, creds, session, paths, smbconf)
|
|
if not sanitychecks(creds,session,names,paths):
|
|
message(SIMPLE,"Sanity checks for the upgrade fails, checks messages and correct it before rerunning upgradeprovision")
|
|
sys.exit(1)
|
|
# Let's see them
|
|
print_provision_key_parameters(names)
|
|
# With all this information let's create a fresh new provision used as reference
|
|
message(SIMPLE,"Creating a reference provision")
|
|
provisiondir = tempfile.mkdtemp(dir=paths.private_dir, prefix="referenceprovision")
|
|
newprovision(names, setup_dir, creds, session, smbconf, provisiondir, messageprovision)
|
|
# Get file paths of this new provision
|
|
newpaths = get_paths(param, targetdir=provisiondir)
|
|
populate_backlink(newpaths, creds, session,names.schemadn)
|
|
populate_dnsyntax(newpaths, creds, session,names.schemadn)
|
|
# Check the difference
|
|
update_basesamdb(newpaths, paths,names)
|
|
|
|
if opts.full:
|
|
update_samdb(newpaths, paths, creds, session, names)
|
|
update_secrets(newpaths, paths, creds, session)
|
|
update_privilege(newpaths, paths)
|
|
update_machine_account_password(paths, creds, session, names)
|
|
# SD should be created with admin but as some previous acl were so wrong that admin can't modify them we have first
|
|
# to recreate them with the good form but with system account and then give the ownership to admin ...
|
|
admin_session_info = admin_session(lp, str(names.domainsid))
|
|
message(SIMPLE,"Updating SD")
|
|
update_sd(paths, creds, session,names)
|
|
update_sd(paths, creds, admin_session_info, names)
|
|
check_updated_sd(newpaths, paths, creds, session, names)
|
|
message(SIMPLE,"Upgrade finished !")
|
|
# remove reference provision now that everything is done !
|
|
rmall(provisiondir)
|