The Samba-Bugzilla – Attachment 8756 Details for
Bug 9784
classicupgrade: Improve handling of invalid accounts (particularly from pdb_ldap)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
improved patch
classicupgrade.patch (text/plain), 3.91 KB, created by
Andrew Bartlett
on 2013-04-11 02:45:38 UTC
(
hide
)
Description:
improved patch
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2013-04-11 02:45:38 UTC
Size:
3.91 KB
patch
obsolete
>From 33f28991d0f6b4045d431aeb02aa0a90adb76f2a Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Thu, 11 Apr 2013 09:32:13 +1000 >Subject: [PATCH 1/2] python-samba-tool domain classicupgrade: Skip machine > accounts that do not end in $ > >These accounts will not work anyway, as all the domain member lookup code in netlogon expects the $. > >Andrew Bartlett >--- > python/samba/upgrade.py | 15 +++++++++++---- > 1 file changed, 11 insertions(+), 4 deletions(-) > >diff --git a/python/samba/upgrade.py b/python/samba/upgrade.py >index af854ef..df5ab41 100644 >--- a/python/samba/upgrade.py >+++ b/python/samba/upgrade.py >@@ -698,16 +698,17 @@ def upgrade_from_samba3(samba3, logger, targetdir, session_info=None, > > user = s3db.getsampwnam(username) > acct_type = (user.acct_ctrl & (samr.ACB_NORMAL|samr.ACB_WSTRUST|samr.ACB_SVRTRUST|samr.ACB_DOMTRUST)) >- if (acct_type == samr.ACB_NORMAL or acct_type == samr.ACB_WSTRUST): >- pass >- >- elif acct_type == samr.ACB_SVRTRUST: >+ if acct_type == samr.ACB_SVRTRUST: > logger.warn(" Demoting BDC account trust for %s, this DC must be elevated to an AD DC using 'samba-tool domain promote'" % username[:-1]) > user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_SVRTRUST) | samr.ACB_WSTRUST > > elif acct_type == samr.ACB_DOMTRUST: > logger.warn(" Skipping inter-domain trust from domain %s, this trust must be re-created as an AD trust" % username[:-1]) > >+ elif acct_type == (samr.ACB_WSTRUST) and username[-1] != '$': >+ logger.warn(" Skipping account %s that has ACB_WSTRUST (W) set but does not end in $. This account can not have worked, and is probably left over from a misconfiguration." % username) >+ continue >+ > elif acct_type == (samr.ACB_NORMAL|samr.ACB_WSTRUST) and username[-1] == '$': > logger.warn(" Fixing account %s which had both ACB_NORMAL (U) and ACB_WSTRUST (W) set. Account will be marked as ACB_WSTRUST (W), i.e. as a domain member" % username) > user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_NORMAL) >@@ -716,6 +717,12 @@ def upgrade_from_samba3(samba3, logger, targetdir, session_info=None, > logger.warn(" Fixing account %s which had both ACB_NORMAL (U) and ACB_SVRTRUST (S) set. Account will be marked as ACB_WSTRUST (S), i.e. as a domain member" % username) > user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_NORMAL) > >+ elif acct_type == 0 and username[-1] != '$': >+ user.acct_ctrl = (user.acct_ctrl | samr.ACB_NORMAL) >+ >+ elif (acct_type == samr.ACB_NORMAL or acct_type == samr.ACB_WSTRUST): >+ pass >+ > else: > raise ProvisioningError("""Failed to upgrade due to invalid account %s, account control flags 0x%08X must have exactly one of > ACB_NORMAL (N, 0x%08X), ACB_WSTRUST (W 0x%08X), ACB_SVRTRUST (S 0x%08X) or ACB_DOMTRUST (D 0x%08X). >-- >1.7.11.7 > > >From 9ff7dc4dafa9bcdf5a59548c32f86398762aa2b3 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Thu, 11 Apr 2013 09:33:16 +1000 >Subject: [PATCH 2/2] python-samba-tool domain classicupgrade: Actually Skip > domain trust accounts > >--- > python/samba/upgrade.py | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/python/samba/upgrade.py b/python/samba/upgrade.py >index df5ab41..804ef50 100644 >--- a/python/samba/upgrade.py >+++ b/python/samba/upgrade.py >@@ -704,6 +704,7 @@ def upgrade_from_samba3(samba3, logger, targetdir, session_info=None, > > elif acct_type == samr.ACB_DOMTRUST: > logger.warn(" Skipping inter-domain trust from domain %s, this trust must be re-created as an AD trust" % username[:-1]) >+ continue > > elif acct_type == (samr.ACB_WSTRUST) and username[-1] != '$': > logger.warn(" Skipping account %s that has ACB_WSTRUST (W) set but does not end in $. This account can not have worked, and is probably left over from a misconfiguration." % username) >-- >1.7.11.7 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8756">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 9784
:
8754
| 8756 |
8757
|
8769