| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
I had to think about how to encode the string 0x0001 (taken from Windows Server).
The problem is due to the "0" byte at the beginning of it. BASE64 encoding
seems a good method to do it.
|
| | |
|
| |
|
|
| |
Accidentally removed by a previous commit.
|
| |
|
|
|
|
| |
- I removed also the "-H" parameter since those scripts are all thought for the
use on a local s4 domain controller. Another reason is also the bind as SYSTEM
account which itself is only possible on local binds.
|
| |
|
|
|
|
|
| |
- This unified the shape of those four scripts (comments, command sequence, call
of SamDB)
- To consider the samdb.py changes regarding the filter: there is now always the
possibility either to specify the username or the search filter
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This simple script allows raising the domain and/or forest level for s4.
I integrated also the basic checks (since we don't perform them in LDB yet):
e.g. the forest level can't be higher than the domain level(s).
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
- The DC level we keep on Windows Server 2008 R2 (we should call ourself
always the newest server type)
- The domain/forest level we set to the minimum (Windows 2000 native) to
allow all AD DC types (from Windows 2000 on) in our domain - the NT4 "mixed"
mode isn't supported by us (discussed on mailing list) -> "nTMixedDomain" is
set always to 0
- I'll add a script which allows to bump the DC level (basically sets the
"msDS-Behaviour-Version" attributes on the "Partitions/Configuration/DC" and
on the "DC" object)
|
| |
|
|
|
|
|
|
|
|
|
| |
- Fix up "servicePrincipalNames" attributes on the DC object
- Add some informative comments (most in "provision_self_join.ldif")
- Add also comments where objects are missing which we may add later when we
support the feature (mainly for FRS)
- Add "domain updates" objects also under "CN=Configuration" (they exist twice)
- Add the default services under "Services" to allow interoperability with some
MS client tools
- Smaller changes
|
| |
|
|
|
|
|
|
|
|
| |
- Add/change "wellKnownObjects" attributes
- Order entries in "provision_basedn_modify.ldif"
- Add/change "delete entries" object under BASEDN and CONFIGDN
- Fix default version number of "Default domain policy" group policy
- Add "domain updates" objects for interoperability with MS AD maintaining tools
- Show version number in the "oEMInformation" attribute (suggested by ekacnet)
- Smaller fixups
|
| |
|
|
|
| |
This patch brings up those subcontainers and fixes up the "systemFlags" on the
"Subnet" entry.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This patches fixes the last difference between s4 and Windows Server regarding
group policy objects: we hadn't the domain controller policy.
- Adds the domain controller policy as it is found in the "original" AD
- Adds also the right version number in the GPT.INI file for the domain group
policy (was missing)
|
| |
|
|
|
| |
thanks to id10ts for spotting this. I was a victim of emacs zone mode,
which increaed it with each edit.
|
| |
|
|
| |
The SPNs end in the DNS domain name
|
| |
|
|
|
|
| |
The DNS entries and SPNs are needed for samba<->samba DRS
replication. This patch adds them for a standalone DC configure. A
separate patch will add them for the vampire configure
|
| |
|
|
|
|
|
|
| |
This fixes the issue with the original files that they didn't have a
leading # in front of the comments, which caused our parsing scripts
much pain. The files are now exactly as delivered.
Andrew Bartlett
|
| |
|
|
|
|
| |
The added tests include basic validation that the script runs and accepts all
custom arguments. The tests also verify changes to the password complexity,
minimum password length, and minimum password length settings.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Validate that each field is within its allowed range. Also validate that the
maximum password age is greater than the minimum password length (if the maximum
password age is set).
I could not find these values documented anywhere in the WSPP docs. I used the
values shown in the W2K8 GPMC, as it appears that the GPMC actuaally performs
the validation of values.
|
| |
|
|
|
|
|
| |
If we cannot retrieve the value, do not assume a particular value. The fact
that we could not retrieve the value indicates a larger problem that we don't
want to make worse bypossibly clearing bit fields in the pwdProperties
attribute.
|
| |
|
|
|
|
| |
This ensures that all changes are made, or none are made. It also makes it
possible to do validation as we go and abort in case of an error, while always
leaving things in a consistent state.
|
| |
|
|
|
| |
Also changed all non-error status output to use the message() function, which
respects the --quiet option.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. During instance creation the provisioning script will import the SASL
mapping for samba-admin. It's done here due to missing config schema
preventing adding the mapping via ldapi.
2. After that it will use ldif2db to import the cn=samba-admin user as
the target of SASL mapping.
3. Then it will start FDS and continue to do provisioning using the
Directory Manager with simple bind.
4. The SASL credentials will be stored in secrets.ldb, so when Samba
server runs later it will use the SASL credentials.
5. After the provisioning is done (just before stopping the slapd)
it will use the DM over direct ldapi to delete the default SASL
mappings included automatically by FDS, leaving just the new
samba-admin mapping.
6. Also before stopping slapd it will use the DM over direct ldapi to
set the ACL on the root entries of the user, configuration, and
schema partitions. The ACL will give samba-admin the full access
to these partitions.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
|
| |
The tick conversion math was off by a factor of 10 due to the incorrect usage of
the "e" notation. The expression "XeY" means "X * (10^Y)", so the correct
expression is 1e7 to get the correct adjustment for ticks.
|
| |
|
|
|
|
| |
I fixed them up to match with Windows Server 2003. I don't think that the
creation of them in the provision script is needed so I put them in the
"provision_users.ldif" file.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes up the change of the primary group of a user when using the ADUC
console:
- When the "primaryGroupId" attribute changes, we have to delete the
"member"/"memberOf" attribute reference of the new primary group and add one
for the old primary group.
- Deny deletion of primary groups according to Windows Server (so we cannot
have invalid "primaryGroupID" attributes in our AD).
- We cannot add a primary group directly before it isn't a secondary one of a
user account.
- We cannot add a secondary reference ("member" attribute) when the group has
been chosen as primary one.
This also removes the LDB templates which are basically overhead now.
This should also fix bug #6599.
|
| |
|
|
|
|
|
| |
"samldb" changes
The "provision_users.ldif" file needs some rework to pass against the changed
and improved "samldb" module (see next commit).
|
| |
|
|
|
| |
This file is no longer needed as the DisplaySpecifiers are now generated from
files provided by Microsoft.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The original license headers provided by Microsoft cannot be parsed as valid
LDIF.
Changed the license headers to be valid LDIF comments, and added a new header
section detailing the exact changes that were made to the original document.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
|
|
|
| |
Like the schema, these are provided under the licence at the head of
the file, which is not the GPL, but allows us to distribute them with
Samba.
Andrew Bartlett
|
| |
|
|
|
| |
We can't emulate them through the LDB changetype flags since they haven't the
same constants! The previous behaviour led to huge problems.
|
| |
|
|
|
|
|
|
|
| |
The previous patches to the provision system cut down on the number of
reconnects, and disabled the partition handling for part of the
process. This means we lost the setting of @OPTIONS as a replicated
attribute into the partitions.
Andrew Bartlett
|
| |
|
|
|
|
|
|
| |
This allows us to test out the code that will do the modify of the
prefixMap, and to provide the bindings that may assist a future
upgrade script.
Andrew Bartlett
|
| |
|
|
|
|
|
| |
This will ensure that the GUID can be filled in correctly, and assist
us to validate DN targets in the future.
Andrew Bartlett
|
| |
|
|
|
| |
When objects are deleted they get renamed to this container. The
container needs to exist when we provision
|
| |
|
|
| |
the call "domain_dn" from SamDB
|
| |
|
|
|
|
|
|
| |
This should make setting up LDAP servers more predictable.
When not specified, it is random
Andrew Bartlett
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This removes a *lot* of duplicated code and the cause of much
administrator frustration. We now handle starting and stopping the
slapd (at least for the provision), and ensure that there is only one
'right' way to configure the OpenLDAP and Fedora DS backend
We now run OpenLDAP in 'cn=config' mode for online configuration.
To test what was the provision-backend code, a new --ldap-dryrun-mode
option has been added to provision. It quits the provision just
before it would start the LDAP binaries
Andrew Bartlett
|
| |
|
|
|
|
|
|
| |
We now set these as part of the schema load, and we now load the
schema before the provision loads the DB, so setting them here is
pointless
Andrew Bartlett
|
| |
|
|
|
|
|
| |
We need to find a better way to apply this (used in the Fedora DS LDAP
backend), not by trying to tunnel this down the module stack.
Andrew Bartlett
|
| |
|
|
|
| |
Either the username or the filter are allowed. If both are given the filter is
going to be used due to a higher precedence.
|
| |
|
|
|
|
| |
This fixes the problem with the setting and getting of the "minPwdAge" and
"maxPwdAge" attributes. I wanted to handle them in days but forgot to add
conversions (from "ticks" (tenth of microsecond) -> "days" and backwards).
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This commit includes:
- Additional static object data in SAMBA 4's AD to start supporting of
- forest updates, - lost and found, - quotas on DS, - physical locations,
- licensing of sites, - subnets, - policies for WMI, - DNS entries in AD
- Reordering of provision*.ldif files to be able to find entries and make future
additions easier
- Add comments in provision*.ldif files to point out where subentries are located
when they are based in other LDIFs
- Removations of autogenerated "cn" attributes
|
| |
|
|
|
|
|
|
|
|
|
| |
As the version of OpenLDAP required for Samba4 is fairly new, we don't
want to make it a requirement before this python code is run in 'make
test'.
As such, skip over the actual starting of slapd, but check the rest
runs alright (which still validates syntax and other modules).
Andrew Bartlett
|
