From da0317ca94ea367815d6d5260dcc15f72fef45a8 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 23 Feb 2019 00:14:31 +0100 Subject: [PATCH 1/6] drsuapi.idl: add DRSUAPI_ATTID_schemaInfo BUG: https://bugzilla.samba.org/show_bug.cgi?id=13799 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Garming Sam (cherry picked from commit 140a6733a458d0afa20237a09ef4ee2546a83a8f) --- librpc/idl/drsuapi.idl | 1 + 1 file changed, 1 insertion(+) diff --git a/librpc/idl/drsuapi.idl b/librpc/idl/drsuapi.idl index cd90500faf57..448a58bcd1f5 100644 --- a/librpc/idl/drsuapi.idl +++ b/librpc/idl/drsuapi.idl @@ -548,6 +548,7 @@ interface drsuapi DRSUAPI_ATTID_objectCategory = 0x0009030e, DRSUAPI_ATTID_gPLink = 0x0009037b, DRSUAPI_ATTID_transportAddressAttribute = 0x0009037f, + DRSUAPI_ATTID_schemaInfo = 0x0009054e, DRSUAPI_ATTID_msDS_Behavior_Version = 0x000905b3, DRSUAPI_ATTID_msDS_KeyVersionNumber = 0x000906f6, DRSUAPI_ATTID_msDS_NonMembers = 0x00090701, -- 2.17.1 From 661f532ba055377c578106ec07970f93b93bfbbe Mon Sep 17 00:00:00 2001 From: Aaron Haslett Date: Thu, 4 Apr 2019 14:39:41 +1300 Subject: [PATCH 2/6] samdb: test for schemainfo update with relax control Currently schema info's revision field isn't incremented if relax control is present. This is so that no increment is done during provision, but we need the relax control in other situations where the increment is desired. This patch adds a failing test to expose the problem. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13799 Signed-off-by: Aaron Haslett Reviewed-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Garming Sam (cherry picked from commit e34abefb77729330cd48bc039c82b03fe545f8a9) --- selftest/knownfail.d/samdb | 1 + source4/dsdb/tests/python/dsdb_schema_info.py | 15 +++++++++++---- source4/selftest/tests.py | 2 +- 3 files changed, 13 insertions(+), 5 deletions(-) create mode 100644 selftest/knownfail.d/samdb diff --git a/selftest/knownfail.d/samdb b/selftest/knownfail.d/samdb new file mode 100644 index 000000000000..d2b076a039d2 --- /dev/null +++ b/selftest/knownfail.d/samdb @@ -0,0 +1 @@ +samba4.schemaInfo.python.*SchemaInfoTestCase.test_AddModifyClassLocalRelaxed.* diff --git a/source4/dsdb/tests/python/dsdb_schema_info.py b/source4/dsdb/tests/python/dsdb_schema_info.py index 60c97b65829e..8554e6c6082b 100755 --- a/source4/dsdb/tests/python/dsdb_schema_info.py +++ b/source4/dsdb/tests/python/dsdb_schema_info.py @@ -166,16 +166,17 @@ systemOnly: FALSE """ return ldif - def test_AddModifyClass(self): + def test_AddModifyClass(self, controls=[], class_pre="schemaInfo-Class-"): # get initial schemaInfo schi_before = self._getSchemaInfo() # create names for a Class to add - (class_name, class_ldap_name, class_dn) = self._make_obj_names("schemaInfo-Class-") + (class_name, class_ldap_name, class_dn) =\ + self._make_obj_names(class_pre) ldif = self._make_class_ldif(class_name, class_dn, 1) # add the new Class - self.sam_db.add_ldif(ldif) + self.sam_db.add_ldif(ldif, controls=controls) self._ldap_schemaUpdateNow() # compare resulting schemaInfo schi_after = self._getSchemaInfo() @@ -184,7 +185,7 @@ systemOnly: FALSE # rename the Class class_dn_new = class_dn.replace(class_name, class_name + "-NEW") try: - self.sam_db.rename(class_dn, class_dn_new) + self.sam_db.rename(class_dn, class_dn_new, controls=controls) except LdbError as e1: (num, _) = e1.args self.fail("failed to change CN for %s: %s" % (class_name, _)) @@ -192,3 +193,9 @@ systemOnly: FALSE # compare resulting schemaInfo schi_after = self._getSchemaInfo() self._checkSchemaInfo(schi_before, schi_after) + + def test_AddModifyClassLocalRelaxed(self): + lp = self.get_loadparm() + self.sam_db = samba.tests.connect_samdb(lp.samdb_url()) + self.test_AddModifyClass(controls=["relax:0"], + class_pre="schemaInfo-Relaxed-") diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 5205ff441653..d1522cd4c230 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -863,7 +863,7 @@ plantestsuite_loadlist("samba4.tokengroups.ntlm.python(ad_dc_ntvfs)", "ad_dc_ntv plantestsuite("samba4.sam.python(fl2008r2dc)", "fl2008r2dc", [python, os.path.join(samba4srcdir, "dsdb/tests/python/sam.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN']) plantestsuite("samba4.sam.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(samba4srcdir, "dsdb/tests/python/sam.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN']) plantestsuite("samba4.user_account_control.python(ad_dc_ntvfs)", "ad_dc_ntvfs", [python, os.path.join(samba4srcdir, "dsdb/tests/python/user_account_control.py"), '$SERVER', '-U"$USERNAME%$PASSWORD"', '--workgroup=$DOMAIN']) -planoldpythontestsuite("ad_dc_ntvfs", "dsdb_schema_info", +planoldpythontestsuite("ad_dc_ntvfs:local", "dsdb_schema_info", extra_path=[os.path.join(samba4srcdir, 'dsdb/tests/python')], name="samba4.schemaInfo.python(ad_dc_ntvfs)", extra_args=['-U"$DOMAIN/$DC_USERNAME%$DC_PASSWORD"'], py3_compatible=True) -- 2.17.1 From 05d182dd6fb9af3b777c451b9406e7179336f7c3 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 21 Feb 2019 09:20:48 +0100 Subject: [PATCH 3/6] ldapcmp: ignore 'schemaInfo' if two domains are compared BUG: https://bugzilla.samba.org/show_bug.cgi?id=13799 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Garming Sam (cherry picked from commit b5b572d5f71e2b9783ddb25c21ac32904fbfd661) --- python/samba/netcmd/ldapcmp.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/samba/netcmd/ldapcmp.py b/python/samba/netcmd/ldapcmp.py index 17c62928a55e..6051b55b31a0 100644 --- a/python/samba/netcmd/ldapcmp.py +++ b/python/samba/netcmd/ldapcmp.py @@ -460,7 +460,7 @@ class LDAPObject(object): "msDs-masteredBy", "lastSetTime", "ipsecNegotiationPolicyReference", "subRefs", "gPCFileSysPath", "accountExpires", "invocationId", "operatingSystemVersion", - "oEMInformation", + "oEMInformation", "schemaInfo", # After Exchange preps "targetAddress", "msExchMailboxGuid", "siteFolderGUID"] # -- 2.17.1 From 2db28831ed7cb9283639a2b3e0272b116eef78aa Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Mar 2019 11:27:14 +0100 Subject: [PATCH 4/6] s4:provision: split out provision_self_join_modify_schema.ldif BUG: https://bugzilla.samba.org/show_bug.cgi?id=13799 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Garming Sam (cherry picked from commit 5ea84af2d69e0b3a2a801ea0cc3f4ffc66bf1764) --- python/samba/provision/__init__.py | 8 ++++++-- source4/setup/provision_self_join_modify_config.ldif | 5 ----- source4/setup/provision_self_join_modify_schema.ldif | 4 ++++ 3 files changed, 10 insertions(+), 7 deletions(-) create mode 100644 source4/setup/provision_self_join_modify_schema.ldif diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py index aa9ffc168b25..dfb9629333db 100644 --- a/python/samba/provision/__init__.py +++ b/python/samba/provision/__init__.py @@ -1193,11 +1193,15 @@ def setup_self_join(samdb, admin_session_info, names, fill, machinepass, "DOMAIN_CONTROLLER_FUNCTIONALITY": str( domainControllerFunctionality)}) - # Setup fSMORoleOwner entries to point at the newly created DC entry + # Setup fSMORoleOwner entries to point at the newly created DC entry + setup_modify_ldif(samdb, + setup_path("provision_self_join_modify_schema.ldif"), { + "SCHEMADN": names.schemadn, + "SERVERDN": names.serverdn, + }) setup_modify_ldif(samdb, setup_path("provision_self_join_modify_config.ldif"), { "CONFIGDN": names.configdn, - "SCHEMADN": names.schemadn, "DEFAULTSITE": names.sitename, "NETBIOSNAME": names.netbiosname, "SERVERDN": names.serverdn, diff --git a/source4/setup/provision_self_join_modify_config.ldif b/source4/setup/provision_self_join_modify_config.ldif index 48a70924b89e..2d8e4c929449 100644 --- a/source4/setup/provision_self_join_modify_config.ldif +++ b/source4/setup/provision_self_join_modify_config.ldif @@ -1,8 +1,3 @@ -dn: ${SCHEMADN} -changetype: modify -replace: fSMORoleOwner -fSMORoleOwner: CN=NTDS Settings,${SERVERDN} - dn: CN=Partitions,${CONFIGDN} changetype: modify replace: fSMORoleOwner diff --git a/source4/setup/provision_self_join_modify_schema.ldif b/source4/setup/provision_self_join_modify_schema.ldif new file mode 100644 index 000000000000..edb06204e5bd --- /dev/null +++ b/source4/setup/provision_self_join_modify_schema.ldif @@ -0,0 +1,4 @@ +dn: ${SCHEMADN} +changetype: modify +replace: fSMORoleOwner +fSMORoleOwner: CN=NTDS Settings,${SERVERDN} -- 2.17.1 From 735b83088811186a37212b27f860de5b4342fb48 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Mar 2019 11:28:42 +0100 Subject: [PATCH 5/6] python/provision: use provision and relax controls for schema provision BUG: https://bugzilla.samba.org/show_bug.cgi?id=13799 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Garming Sam (cherry picked from commit 7652439fa1aab92945f5540a43fc49568d446917) --- python/samba/provision/__init__.py | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py index dfb9629333db..ea1caa377996 100644 --- a/python/samba/provision/__init__.py +++ b/python/samba/provision/__init__.py @@ -1198,7 +1198,8 @@ def setup_self_join(samdb, admin_session_info, names, fill, machinepass, setup_path("provision_self_join_modify_schema.ldif"), { "SCHEMADN": names.schemadn, "SERVERDN": names.serverdn, - }) + }, + controls=["provision:0", "relax:0"]) setup_modify_ldif(samdb, setup_path("provision_self_join_modify_config.ldif"), { "CONFIGDN": names.configdn, @@ -1416,16 +1417,20 @@ def fill_samdb(samdb, lp, names, logger, policyguid, # The LDIF here was created when the Schema object was constructed ignore_checks_oid = "local_oid:%s:0" % samba.dsdb.DSDB_CONTROL_SKIP_DUPLICATES_CHECK_OID + schema_controls = [ + "provision:0", + "relax:0", + ignore_checks_oid + ] + logger.info("Setting up sam.ldb schema") - samdb.add_ldif(schema.schema_dn_add, - controls=["relax:0", ignore_checks_oid]) - samdb.modify_ldif(schema.schema_dn_modify, - controls=[ignore_checks_oid]) + samdb.add_ldif(schema.schema_dn_add, controls=schema_controls) + samdb.modify_ldif(schema.schema_dn_modify, controls=schema_controls) samdb.write_prefixes_from_schema() - samdb.add_ldif(schema.schema_data, controls=["relax:0", ignore_checks_oid]) + samdb.add_ldif(schema.schema_data, controls=schema_controls) setup_add_ldif(samdb, setup_path("aggregate_schema.ldif"), {"SCHEMADN": names.schemadn}, - controls=["relax:0", ignore_checks_oid]) + controls=schema_controls) # Now register this container in the root of the forest msg = ldb.Message(ldb.Dn(samdb, names.domaindn)) -- 2.17.1 From e2f332346f0f8c1d5610c68e60d0f2aa2958a4a4 Mon Sep 17 00:00:00 2001 From: Aaron Haslett Date: Wed, 3 Apr 2019 16:34:42 +1300 Subject: [PATCH 6/6] dsdb:samdb: schemainfo update with relax control Currently schema info's revision field isn't incremented if relax control is present. This is so that no increment is done during provision, but we need the relax control in other situations where the increment is desired, so we should use the provision control instead to disable schema info update. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13799 Signed-off-by: Aaron Haslett Reviewed-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Garming Sam (cherry picked from commit b7c1752754da1e8a83a53670cf4a410ec6e9d7b7) --- selftest/knownfail.d/samdb | 1 - source4/dsdb/samdb/ldb_modules/samldb.c | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 selftest/knownfail.d/samdb diff --git a/selftest/knownfail.d/samdb b/selftest/knownfail.d/samdb deleted file mode 100644 index d2b076a039d2..000000000000 --- a/selftest/knownfail.d/samdb +++ /dev/null @@ -1 +0,0 @@ -samba4.schemaInfo.python.*SchemaInfoTestCase.test_AddModifyClassLocalRelaxed.* diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index e69228c32c75..02eb2fa90494 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -1333,7 +1333,7 @@ static int samldb_schema_info_update(struct samldb_ctx *ac) } /* do not update schemaInfo during provisioning */ - if (ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) { + if (ldb_request_get_control(ac->req, LDB_CONTROL_PROVISION_OID)) { return LDB_SUCCESS; } -- 2.17.1