Attachment 8088 Details for Bug 38983 – Adjusted takeover.patch for errata4.0-2 and later

[patch] Adjusted takeover.patch for errata4.0-2 and later

takeover.patch (text/plain), 4.33 KB, created by Arvid Requate on 2016-10-11 15:43:25 CEST

(hide)

Description:

Filename:

MIME Type:

Creator: Arvid Requate

Created: 2016-10-11 15:43:25 CEST

Size: 4.33 KB

patch

obsolete

>Index: takeover.py
>===================================================================
>--- takeover.py	(Revision 60906)
>+++ takeover.py	(Arbeitskopie)
>@@ -1408,7 +1408,7 @@
> 		if not "hosts/static/%s" % self.ad_server_ip in self.ucr:
> 			msg=[]
> 			msg.append("")
>-			msg.append("Error: given IP %s was not mapped to a hostname in phase I.")
>+			msg.append("Error: given IP %s was not mapped to a hostname in phase I." % (self.ad_server_ip,))
> 			msg.append("       Please complete phase I of the takeover before initiating the FSMO takeover.")
> 			log.error("\n".join(msg))
> 			raise TakeoverError(_("The Active Directory domain join was not completed successfully yet."))
>@@ -1732,7 +1732,19 @@
> 		if dns_SPN_account_password[0] == '-':	## avoid passing an option
> 			dns_SPN_account_password= '#%s' % dns_SPN_account_password
> 		dns_SPN_account_name = "dns-%s" % self.ucr["hostname"]
>-		run_and_output_to_log(["samba-tool", "user", "add", dns_SPN_account_name, dns_SPN_account_password], log.debug, print_commandline = False)
>+
>+		dnsKeyVersion = 1	## default
>+		msgs = self.samdb.search(base="CN=%s,CN=Users,%s" % (dns_SPN_account_name, self.ucr["samba4/ldap/base"]), scope=samba.ldb.SCOPE_BASE,
>+							attrs=["msDS-KeyVersionNumber"])
>+		if msgs:
>+			log.warn("CN=%s,CN=User already exists in sam.ldb" % dns_SPN_account_name)
>+			run_and_output_to_log(["samba-tool", "user", "setpassword", dns_SPN_account_name, "--newpassword=%s" % (dns_SPN_account_password, )], log.debug, print_commandline = False)
>+		else:
>+			returncode = run_and_output_to_log(["samba-tool", "user", "add", dns_SPN_account_name, dns_SPN_account_password], log.debug, print_commandline = False)
>+			if returncode != 0:
>+				log.error("Adding CN=%s,CN=User failed!" % dns_SPN_account_name)
>+				return
>+
> 		run_and_output_to_log(["samba-tool", "user", "setexpiry", "--noexpiry", dns_SPN_account_name], log.debug)
> 		delta = ldb.Message()
> 		delta.dn = ldb.Dn(self.samdb, "CN=%s,CN=Users,%s" % (dns_SPN_account_name, self.ucr["samba4/ldap/base"]))
>@@ -1739,7 +1751,6 @@
> 		delta["servicePrincipalName"] = ldb.MessageElement("DNS/%s" % self.local_fqdn, ldb.FLAG_MOD_REPLACE, "servicePrincipalName")
> 		self.samdb.modify(delta)
> 
>-		dnsKeyVersion = 1	## default
> 		msgs = self.samdb.search(base="CN=%s,CN=Users,%s" % (dns_SPN_account_name, self.ucr["samba4/ldap/base"]), scope=samba.ldb.SCOPE_BASE,
> 							attrs=["msDS-KeyVersionNumber"])
> 		if msgs:
>@@ -1747,16 +1758,28 @@
> 			dnsKeyVersion = obj["msDS-KeyVersionNumber"][0]
> 
> 		secretsdb = samba.Ldb(os.path.join(SAMBA_PRIVATE_DIR, "secrets.ldb"), session_info=system_session(self.lp), lp=self.lp)
>-		secretsdb.add({"dn": "samAccountName=%s,CN=Principals" % dns_SPN_account_name,
>-			"objectClass": "kerberosSecret",
>-			"privateKeytab": "dns.keytab",
>-			"realm": self.ucr["kerberos/realm"],
>-			"sAMAccountName": dns_SPN_account_name,
>-			"secret": dns_SPN_account_password,
>-			"servicePrincipalName": "DNS/%s" % self.local_fqdn,
>-			"saltPrincipal": "DNS/%s@%s" % (self.local_fqdn, self.ucr["kerberos/realm"]),
>-			"name": dns_SPN_account_name,
>-			"msDS-KeyVersionNumber": dnsKeyVersion})
>+		msgs = secretsdb.search(base="samAccountName=%s,CN=Principals" % (dns_SPN_account_name,), scope=samba.ldb.SCOPE_BASE,
>+							attrs=["msDS-KeyVersionNumber"])
>+		if msgs:
>+			log.warn("samAccountName=%s,CN=Principals already exists in secrets.ldb" % dns_SPN_account_name)
>+			if "msDS-KeyVersionNumber" in obj:
>+				if dnsKeyVersion != obj["msDS-KeyVersionNumber"][0]:
>+					delta = ldb.Message()
>+					delta.dn = obj.dn
>+					delta["secret"] = ldb.MessageElement(dns_SPN_account_password, ldb.FLAG_MOD_REPLACE, "secret")
>+					delta["kvno"] = ldb.MessageElement(dnsKeyVersion, ldb.FLAG_MOD_REPLACE, "msDS-KeyVersionNumber")
>+					secretsdb.modify(delta)
>+		else:
>+			secretsdb.add({"dn": "samAccountName=%s,CN=Principals" % dns_SPN_account_name,
>+				"objectClass": "kerberosSecret",
>+				"privateKeytab": "dns.keytab",
>+				"realm": self.ucr["kerberos/realm"],
>+				"sAMAccountName": dns_SPN_account_name,
>+				"secret": dns_SPN_account_password,
>+				"servicePrincipalName": "DNS/%s" % self.local_fqdn,
>+				"saltPrincipal": "DNS/%s@%s" % (self.local_fqdn, self.ucr["kerberos/realm"]),
>+				"name": dns_SPN_account_name,
>+				"msDS-KeyVersionNumber": dnsKeyVersion})
> 
> 		# returncode = run_and_output_to_log(["/usr/share/univention-samba4/scripts/create_dns-host_spn.py"], log.debug)
> 		# if returncode != 0:

Actions: View | Diff

Attachments on bug 38983: 7036 | 8088