summaryrefslogtreecommitdiffstats
path: root/testprogs/blackbox/ldapcmp_restoredc.sh
blob: 831b992e960eb995dfe6797d8c775c23be108a12 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

#!/bin/sh
# Does an ldapcmp between a newly restored testenv and the original testenv it
# was based on

if [ $# -lt 2 ]; then
	cat <<EOF
Usage: $0 ORIG_DC_PREFIX RESTORED_DC_PREFIX
EOF
	exit 1
fi

ORIG_DC_PREFIX_ABS="$1"
RESTORED_DC_PREFIX_ABS="$2"
shift 2

. $(dirname $0)/subunit.sh

basedn()
{
	SAMDB_PATH=$1
	$BINDIR/ldbsearch -H $SAMDB_PATH --basedn='' --scope=base defaultNamingContext | grep defaultNamingContext | awk '{print $2}'
}

ldapcmp_with_orig()
{

	DB1_PATH="tdb://$ORIG_DC_PREFIX_ABS/private/sam.ldb"
	DB2_PATH="tdb://$RESTORED_DC_PREFIX_ABS/private/sam.ldb"

	# check if the 2 DCs are in different domains
	DC1_BASEDN=$(basedn $DB1_PATH)
	DC2_BASEDN=$(basedn $DB2_PATH)
	BASE_DN_OPTS=""

	# if necessary, pass extra args to ldapcmp to handle the difference in base DNs
	if [ "$DC1_BASEDN" != "$DC2_BASEDN" ]; then
		BASE_DN_OPTS="--base=$DC1_BASEDN --base2=$DC2_BASEDN"
	fi

	# the restored DC will remove DNS entries for the old DC(s)
	IGNORE_ATTRS="dnsRecord,dNSTombstoned"

	# DC2 joined DC1, so it will have different DRS info
	IGNORE_ATTRS="$IGNORE_ATTRS,msDS-NC-Replica-Locations,msDS-HasInstantiatedNCs"
	IGNORE_ATTRS="$IGNORE_ATTRS,interSiteTopologyGenerator"

	# there's a servicePrincipalName that uses the objectGUID of the DC's NTDS
	# Settings that will differ between the two DCs
	IGNORE_ATTRS="$IGNORE_ATTRS,servicePrincipalName"

	# the restore changes the new DC's password twice
	IGNORE_ATTRS="$IGNORE_ATTRS,lastLogonTimestamp"

	# The RID pools get bumped during the restore process
	IGNORE_ATTRS="$IGNORE_ATTRS,rIDAllocationPool,rIDAvailablePool"

	# these are just differences between provisioning a domain and joining a DC
	IGNORE_ATTRS="$IGNORE_ATTRS,localPolicyFlags,operatingSystem,displayName"

	# the restored DC may use a different side compared to the original DC
	IGNORE_ATTRS="$IGNORE_ATTRS,serverReferenceBL,msDS-IsDomainFor"

	LDAPCMP_CMD="$PYTHON $BINDIR/samba-tool ldapcmp"
	$LDAPCMP_CMD $DB1_PATH $DB2_PATH --two --skip-missing-dn --filter=$IGNORE_ATTRS $BASE_DN_OPTS
}

# check that the restored testenv DC basically matches the original
testit "orig_dc_matches" ldapcmp_with_orig

exit $failed
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-28 20:58:51 +0000