From 1fb5331c9f0cd030d63d47af0327f3958f7f0ef5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 22 Mar 2013 21:36:49 +1100 Subject: [PATCH 1/2] samba-tool ldapcmp: Remove the GUID -> name mappings These mappings are very convenient, however because they are not one-to-one, they lead to differences being reported when none exist, dependent only on the order the schema searches return results in. Sadly the time saved by the names is offset by the time wasted chasing the 'differences' that don't exist. This in turn fixes some tests that were previously knownfail Andrew Bartlett Reviewed-by: Stefan Metzmacher (cherry picked from commit 5d42260eecfd4f26cc82637ce1bc989083c9eb9d) --- python/samba/netcmd/ldapcmp.py | 47 ++++-------------------------------------- selftest/knownfail | 8 +++---- 2 files changed, 7 insertions(+), 48 deletions(-) diff --git a/python/samba/netcmd/ldapcmp.py b/python/samba/netcmd/ldapcmp.py index 6e025a2..7bd118e 100644 --- a/python/samba/netcmd/ldapcmp.py +++ b/python/samba/netcmd/ldapcmp.py @@ -80,7 +80,6 @@ class LDAPBase(object): self.server_names = self.find_servers() self.domain_name = re.sub("[Dd][Cc]=", "", self.base_dn).replace(",", ".") self.domain_sid = self.find_domain_sid() - self.get_guid_map() self.get_sid_map() # # Log some domain controller specific place-holers that are being used @@ -250,20 +249,6 @@ class LDAPBase(object): assert index == len(blob) return res.strip().replace(" ", "-") - def get_guid_map(self): - """ Build dictionary that maps GUID to 'name' attribute found in Schema or Extended-Rights. - """ - self.guid_map = {} - res = self.ldb.search(base=self.schema_dn, - expression="(schemaIdGuid=*)", scope=SCOPE_SUBTREE, attrs=["schemaIdGuid", "name"]) - for item in res: - self.guid_map[self.guid_as_string(item["schemaIdGuid"]).lower()] = item["name"][0] - # - res = self.ldb.search(base="cn=extended-rights,%s" % self.config_dn, - expression="(rightsGuid=*)", scope=SCOPE_SUBTREE, attrs=["rightsGuid", "name"]) - for item in res: - self.guid_map[str(item["rightsGuid"]).lower()] = item["name"][0] - def get_sid_map(self): """ Build dictionary that maps GUID to 'name' attribute found in Schema or Extended-Rights. """ @@ -299,22 +284,6 @@ class Descriptor(object): return [] return re.findall("(\(.*?\))", res) - def fix_guid(self, ace): - res = "%s" % ace - guids = re.findall("[a-z0-9]+?-[a-z0-9]+-[a-z0-9]+-[a-z0-9]+-[a-z0-9]+", res) - # If there are not GUIDs to replace return the same ACE - if len(guids) == 0: - return res - for guid in guids: - try: - name = self.con.guid_map[guid.lower()] - res = res.replace(guid, name) - except KeyError: - # Do not bother if the GUID is not found in - # cn=Schema or cn=Extended-Rights - pass - return res - def fix_sid(self, ace): res = "%s" % ace sids = re.findall("S-[-0-9]+", res) @@ -330,14 +299,6 @@ class Descriptor(object): pass return res - def fixit(self, ace): - """ Combine all replacement methods in one - """ - res = "%s" % ace - res = self.fix_guid(res) - res = self.fix_sid(res) - return res - def diff_1(self, other): res = "" if len(self.dacl_list) != len(other.dacl_list): @@ -361,8 +322,8 @@ class Descriptor(object): other_ace = "" if len(self_ace) + len(other_ace) == 0: break - self_ace_fixed = "%s" % self.fixit(self_ace) - other_ace_fixed = "%s" % other.fixit(other_ace) + self_ace_fixed = "%s" % self.fix_sid(self_ace) + other_ace_fixed = "%s" % other.fix_sid(other_ace) if self_ace_fixed != other_ace_fixed: res += "%60s * %s\n" % ( self_ace_fixed, other_ace_fixed ) flag = False @@ -383,8 +344,8 @@ class Descriptor(object): other_aces = [] self_dacl_list_fixed = [] other_dacl_list_fixed = [] - [self_dacl_list_fixed.append( self.fixit(ace) ) for ace in self.dacl_list] - [other_dacl_list_fixed.append( other.fixit(ace) ) for ace in other.dacl_list] + [self_dacl_list_fixed.append( self.fix_sid(ace) ) for ace in self.dacl_list] + [other_dacl_list_fixed.append( other.fix_sid(ace) ) for ace in other.dacl_list] for ace in self_dacl_list_fixed: try: other_dacl_list_fixed.index(ace) diff --git a/selftest/knownfail b/selftest/knownfail index d455e34..ecb1934 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -159,11 +159,9 @@ ^samba4.rpc.lsa.forest.trust #Not fully provided by Samba4 ^samba4.blackbox.kinit\(.*\).kinit with user password for expired password\(.*\) # We need to work out why this fails only during the pw change ^samba4.blackbox.dbcheck\(vampire_dc\).dbcheck\(vampire_dc:local\) # Due to replicating with --domain-critical-only we fail dbcheck on this database -^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects and not getting the DC ACL right -^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_full_sd\(none\) # Due to something rewriting the NT ACL on DNS objects and not getting the DC ACL right -^samba4.blackbox.upgradeprovision.release-4-0-0.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects and not getting the DC ACL right -^samba4.blackbox.upgradeprovision.release-4-0-0.ldapcmp_full_sd\(none\) # Due to something rewriting the NT ACL on DNS objects and not getting the DC ACL right -^samba4.blackbox.dbcheck.release-4-0-0.ldapcmp_sd\(none\) # We do not yet know how to reset the DC ACL with dbcheck +^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects +^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_full_sd\(none\) # Due to something rewriting the NT ACL on DNS objects +^samba4.blackbox.upgradeprovision.release-4-0-0.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects ^samba3.smb2.create.gentest ^samba3.smb2.create.blob ^samba3.smb2.create.open -- 1.7.11.7 From c7c275cc1dd9e3f160697ae1ce09e49e15209b12 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 22 Mar 2013 21:58:25 +1100 Subject: [PATCH 2/2] scripting: Fill the ProvisionNames hash with strings, not ldb.MessageElement or Dn This avoids the need to fix it up again in samba_upgradedns. Andrew Bartlett Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Mon Mar 25 13:25:30 CET 2013 on sn-devel-104 (cherry picked from commit 30adf0cdbae6d9aaf2e72513d9c33267248f20c0) --- python/samba/provision/__init__.py | 15 +++++++-------- source4/scripting/bin/samba_upgradedns | 16 +--------------- 2 files changed, 8 insertions(+), 23 deletions(-) diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py index 32baac6..f13b7d1 100644 --- a/python/samba/provision/__init__.py +++ b/python/samba/provision/__init__.py @@ -201,9 +201,8 @@ def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf, "configurationNamingContext","rootDomainNamingContext", "namingContexts"]) - names.configdn = current[0]["configurationNamingContext"] - configdn = str(names.configdn) - names.schemadn = current[0]["schemaNamingContext"] + names.configdn = current[0]["configurationNamingContext"][0] + names.schemadn = current[0]["schemaNamingContext"][0] if not (ldb.Dn(samdb, basedn) == (ldb.Dn(samdb, current[0]["defaultNamingContext"][0]))): raise ProvisioningError(("basedn in %s (%s) and from %s (%s)" @@ -211,8 +210,8 @@ def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf, str(current[0]["defaultNamingContext"][0]), paths.smbconf, basedn))) - names.domaindn=current[0]["defaultNamingContext"] - names.rootdn=current[0]["rootDomainNamingContext"] + names.domaindn=current[0]["defaultNamingContext"][0] + names.rootdn=current[0]["rootDomainNamingContext"][0] names.ncs=current[0]["namingContexts"] names.dnsforestdn = None names.dnsdomaindn = None @@ -232,7 +231,7 @@ def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf, # default site name res3 = samdb.search(expression="(objectClass=site)", - base="CN=Sites," + configdn, scope=ldb.SCOPE_ONELEVEL, attrs=["cn"]) + base="CN=Sites," + names.configdn, scope=ldb.SCOPE_ONELEVEL, attrs=["cn"]) names.sitename = str(res3[0]["cn"]) # dns hostname and server dn @@ -242,8 +241,8 @@ def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf, names.hostname = str(res4[0]["dNSHostName"]).replace("." + names.dnsdomain, "") server_res = samdb.search(expression="serverReference=%s" % res4[0].dn, - attrs=[], base=configdn) - names.serverdn = server_res[0].dn + attrs=[], base=names.configdn) + names.serverdn = str(server_res[0].dn) # invocation id/objectguid res5 = samdb.search(expression="(objectClass=*)", diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns index f389ef7..3c30090 100755 --- a/source4/scripting/bin/samba_upgradedns +++ b/source4/scripting/bin/samba_upgradedns @@ -83,19 +83,6 @@ def find_bind_gid(): return None -def fix_names(pnames): - """Convert elements to strings from MessageElement - """ - names = pnames - names.rootdn = pnames.rootdn[0] - names.domaindn = pnames.domaindn[0] - names.configdn = pnames.configdn[0] - names.schemadn = pnames.schemadn[0] - names.root_gid = pnames.root_gid - names.serverdn = str(pnames.serverdn) - return names - - def convert_dns_rdata(rdata, serial=1): """Convert resource records in dnsRecord format """ @@ -270,9 +257,8 @@ if __name__ == '__main__': paths = get_paths(param, smbconf=lp.configfile) paths.bind_gid = find_bind_gid() ldbs = get_ldbs(paths, creds, system_session(), lp) - pnames = find_provision_key_parameters(ldbs.sam, ldbs.secrets, ldbs.idmap, + names = find_provision_key_parameters(ldbs.sam, ldbs.secrets, ldbs.idmap, paths, lp.configfile, lp) - names = fix_names(pnames) if names.domainlevel < DS_DOMAIN_FUNCTION_2003: logger.error("Cannot create AD based DNS for OS level < 2003") -- 1.7.11.7