diff options
Diffstat (limited to 'source4/setup')
-rwxr-xr-x | source4/setup/domainlevel | 187 | ||||
-rwxr-xr-x | source4/setup/enableaccount | 72 | ||||
-rwxr-xr-x | source4/setup/newuser | 10 | ||||
-rw-r--r-- | source4/setup/provision.ldif | 15 | ||||
-rw-r--r-- | source4/setup/provision_configuration.ldif | 263 | ||||
-rw-r--r-- | source4/setup/provision_self_join.ldif | 82 | ||||
-rwxr-xr-x | source4/setup/pwsettings | 47 | ||||
-rwxr-xr-x | source4/setup/setexpiry | 50 | ||||
-rwxr-xr-x | source4/setup/setpassword | 14 |
9 files changed, 602 insertions, 138 deletions
diff --git a/source4/setup/domainlevel b/source4/setup/domainlevel new file mode 100755 index 0000000000..811e29cb2d --- /dev/null +++ b/source4/setup/domainlevel @@ -0,0 +1,187 @@ +#!/usr/bin/python +# +# Raises domain and forest function levels +# +# Copyright Matthias Dieter Wallnoefer 2009 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import sys + +# Find right directory when running from source tree +sys.path.insert(0, "bin/python") + +import samba.getopt as options +import optparse +import ldb + +from samba.auth import system_session +from samba.samdb import SamDB +from samba import DS_DOMAIN_FUNCTION_2000, DS_DOMAIN_FUNCTION_2003 +from samba import DS_DOMAIN_FUNCTION_2008, DS_DOMAIN_FUNCTION_2008_R2 + +parser = optparse.OptionParser("domainlevel (show | raise <options>)") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +parser.add_option("--quiet", help="Be quiet", action="store_true") +parser.add_option("--forest", + help="The forest function level (2000 | 2003 | 2008 | 2008_R2). We don't support mixed/interim (NT4 DC support) levels.", type=str) +parser.add_option("--domain", + help="The domain function level (2000 | 2003 | 2008 | 2008_R2). We don't support mixed/interim (NT4 DC support) levels.", type=str) +opts, args = parser.parse_args() + +# +# print a message if quiet is not set +# +def message(text): + if not opts.quiet: + print text + +if len(args) == 0: + parser.print_usage() + sys.exit(1) + +lp = sambaopts.get_loadparm() +creds = credopts.get_credentials(lp) + +samdb = SamDB(url=lp.get("sam database"), session_info=system_session(), + credentials=creds, lp=lp) + +domain_dn = SamDB.domain_dn(samdb) + +res_forest = samdb.search("CN=Partitions,CN=Configuration," + domain_dn, + scope=ldb.SCOPE_BASE, attrs=["msDS-Behavior-Version"]) +assert(len(res_forest) == 1) + +res_domain = samdb.search(domain_dn, scope=ldb.SCOPE_BASE, + attrs=["msDS-Behavior-Version"]) +assert(len(res_domain) == 1) + +try: + level_forest = int(res_forest[0]["msDS-Behavior-Version"][0]) + level_domain = int(res_domain[0]["msDS-Behavior-Version"][0]) + + if level_forest < 0 or level_forest == 1 or level_forest > 4 or level_domain < 0 or level_domain == 1 or level_domain > 4: + print "ERROR: Domain and/or forest functional level(s) is/are invalid. Correct them or reprovision!" + sys.exit(1) + if level_forest > level_domain: + print "ERROR: Forest function level is higher than the domain level(s). That can't be. Correct this or reprovision!" + sys.exit(1) +except: + print "ERROR: Could not retrieve the actual domain and forest level!" + if args[0] == "show": + print "So the levels can't be displayed!" + sys.exit(1) + +if args[0] == "show": + message("Domain and forest function level for domain '" + domain_dn + "'") + message("") + + if level_forest == DS_DOMAIN_FUNCTION_2000: + outstr = "2000" + elif level_forest == DS_DOMAIN_FUNCTION_2003: + outstr = "2003" + elif level_forest == DS_DOMAIN_FUNCTION_2008: + outstr = "2008" + elif level_forest == DS_DOMAIN_FUNCTION_2008_R2: + outstr = "2008 R2" + message("Forest function level: (Windows) " + outstr) + + if level_domain == DS_DOMAIN_FUNCTION_2000: + outstr = "2000" + elif level_domain == DS_DOMAIN_FUNCTION_2003: + outstr = "2003" + elif level_domain == DS_DOMAIN_FUNCTION_2008: + outstr = "2008" + elif level_domain == DS_DOMAIN_FUNCTION_2008_R2: + outstr = "2008 R2" + message("Domain function level: (Windows) " + outstr) + +elif args[0] == "raise": + msgs = [] + + if opts.domain is not None: + arg = opts.domain + + if arg == "2000": + new_level_domain = DS_DOMAIN_FUNCTION_2000 + elif arg == "2003": + new_level_domain = DS_DOMAIN_FUNCTION_2003 + elif arg == "2008": + new_level_domain = DS_DOMAIN_FUNCTION_2008 + elif arg == "2008_R2": + new_level_domain = DS_DOMAIN_FUNCTION_2008_R2 + else: + print "ERROR: Wrong argument '" + arg + "'!" + sys.exit(1) + + if new_level_domain <= level_domain: + print "ERROR: Domain function level can't be smaller equal to the actual one!" + sys.exit(1) + + m = ldb.Message() + m.dn = ldb.Dn(samdb, domain_dn) + m["msDS-Behavior-Version"]= ldb.MessageElement( + str(new_level_domain), ldb.FLAG_MOD_REPLACE, + "msDS-Behavior-Version") + samdb.modify(m) + + level_domain = new_level_domain + + msgs.append("Domain function level changed!") + + if opts.forest is not None: + arg = opts.forest + + if arg == "2000": + new_level_forest = DS_DOMAIN_FUNCTION_2000 + elif arg == "2003": + new_level_forest = DS_DOMAIN_FUNCTION_2003 + elif arg == "2008": + new_level_forest = DS_DOMAIN_FUNCTION_2008 + elif arg == "2008_R2": + new_level_forest = DS_DOMAIN_FUNCTION_2008_R2 + else: + print "ERROR: Wrong argument '" + arg + "'!" + sys.exit(1) + + if new_level_forest <= level_forest: + print "ERROR: Forest function level can't be smaller equal to the actual one!" + sys.exit(1) + + if new_level_forest > level_domain: + print "ERROR: Forest function level can't be higher than the domain function level(s). Please raise it/them first!" + sys.exit(1) + + m = ldb.Message() + + m.dn = ldb.Dn(samdb, "CN=Partitions,CN=Configuration," + + domain_dn) + m["msDS-Behavior-Version"]= ldb.MessageElement( + str(new_level_forest), ldb.FLAG_MOD_REPLACE, + "msDS-Behavior-Version") + samdb.modify(m) + + msgs.append("Forest function level changed!") + + msgs.append("All changes applied successfully!") + + message("\n".join(msgs)) +else: + print "ERROR: Wrong argument '" + args[0] + "'!" + sys.exit(1) diff --git a/source4/setup/enableaccount b/source4/setup/enableaccount index d4e954074b..0ca5b39faa 100755 --- a/source4/setup/enableaccount +++ b/source4/setup/enableaccount @@ -1,18 +1,31 @@ #!/usr/bin/python # -# Enables a disabled user account on a Samba4 server -# Copyright Andrew Tridgell 2005 -# Copyright Jelmer Vernooij 2008 -# Released under the GNU GPL version 3 or later +# Enables an user account on a Samba4 server +# Copyright Jelmer Vernooij 2008 +# +# Based on the original in EJS: +# Copyright Andrew Tridgell 2005 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. # -import os, sys -sys.path.insert(0, os.path.join(os.path.dirname(sys.argv[0]), "../bin/python")) +import sys + +sys.path.insert(0, "bin/python") import samba.getopt as options import optparse -import pwd -import ldb from samba.auth import system_session from samba.samdb import SamDB @@ -23,49 +36,24 @@ parser.add_option_group(sambaopts) parser.add_option_group(options.VersionOptions(parser)) credopts = options.CredentialsOptions(parser) parser.add_option_group(credopts) -parser.add_option("-H", help="LDB URL for database or target server", type=str) -parser.add_option("--base", help="Base DN to search for user under", type=str) +parser.add_option("--filter", help="LDAP Filter to set password on", type=str) opts, args = parser.parse_args() -# -# print a message if quiet is not set -# -def message(text): - if not opts.quiet: - print text +filter = opts.filter -if len(args) == 0: +if (len(args) == 0) and (filter is None): + print "Either the username or '--filter' must be specified!" parser.print_usage() sys.exit(1) -username = args[0] - -if username is None: - print "username must be specified" +if filter is None: + username = args[0] + filter = "(&(objectClass=user)(sAMAccountName=%s))" % (username) lp = sambaopts.get_loadparm() - creds = credopts.get_credentials(lp) -if opts.H is not None: - url = opts.H -else: - url = lp.get("sam database") - -samdb = SamDB(url=url, session_info=system_session(), +samdb = SamDB(url=lp.get("sam database"), session_info=system_session(), credentials=creds, lp=lp) - -domain_dn = opts.base -if domain_dn is None: - domain_dn = SamDB.domain_dn(samdb) - -filter = "(&(objectClass=user)(samAccountName=%s))" % username - -res = samdb.search(domain_dn, scope=ldb.SCOPE_SUBTREE, - expression=filter, - attrs=[]) -assert(len(res) == 1) -user_dn = res[0].dn - -samdb.enable_account(user_dn) +samdb.enable_account(filter) diff --git a/source4/setup/newuser b/source4/setup/newuser index cc89e922a7..422677c301 100755 --- a/source4/setup/newuser +++ b/source4/setup/newuser @@ -1,6 +1,6 @@ #!/usr/bin/python # -# Add a new user to a Samba4 server +# Adds a new user to a Samba4 server # Copyright Jelmer Vernooij 2008 # # Based on the original in EJS: @@ -18,6 +18,7 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. + import sys # Find right directory when running from source tree @@ -25,8 +26,10 @@ sys.path.insert(0, "bin/python") import samba.getopt as options import optparse + from getpass import getpass from samba.auth import system_session +from samba.samdb import SamDB parser = optparse.OptionParser("newuser [options] <username> [<password>]") sambaopts = options.SambaOptions(parser) @@ -34,7 +37,6 @@ parser.add_option_group(sambaopts) parser.add_option_group(options.VersionOptions(parser)) credopts = options.CredentialsOptions(parser) parser.add_option_group(credopts) -parser.add_option("--quiet", help="Be quiet", action="store_true") parser.add_option("--unixname", help="Unix Username", type=str) parser.add_option("--must-change-at-next-login", help="Force password to be changed on next login", action="store_true") @@ -56,6 +58,6 @@ if opts.unixname is None: lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) -samdb = sambaopts.get_hostconfig().get_samdb(session_info=system_session(), - credentials=creds) +samdb = SamDB(url=lp.get("sam database"), session_info=system_session(), + credentials=creds, lp=lp) samdb.newuser(username, opts.unixname, password, force_password_change_at_next_login=opts.must_change_at_next_login) diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif index 1690dc6c02..d46406e144 100644 --- a/source4/setup/provision.ldif +++ b/source4/setup/provision.ldif @@ -5,24 +5,25 @@ dn: CN=Builtin,${DOMAINDN} objectClass: top objectClass: builtinDomain +creationTime: ${CREATTIME} forceLogoff: -9223372036854775808 +isCriticalSystemObject: TRUE lockoutDuration: -18000000000 lockOutObservationWindow: -18000000000 lockoutThreshold: 0 maxPwdAge: -37108517437440 minPwdAge: 0 minPwdLength: 0 +modifiedCount: 1 modifiedCountAtLastProm: 0 nextRid: 1000 -pwdProperties: 0 -pwdHistoryLength: 0 objectSid: S-1-5-32 +pwdHistoryLength: 0 +pwdProperties: 0 serverState: 1 -uASCompat: 1 -modifiedCount: 1 -systemFlags: -1946157056 -isCriticalSystemObject: TRUE showInAdvancedViewOnly: FALSE +systemFlags: -1946157056 +uASCompat: 1 dn: CN=Deleted Objects,${DOMAINDN} objectClass: top @@ -366,6 +367,8 @@ objectClass: nTFRSSettings systemFlags: -1946157056 isCriticalSystemObject: TRUE +# Here are missing the FRS objects since we don't support this technique yet + dn: CN=FileLinks,CN=System,${DOMAINDN} objectClass: top objectClass: fileLinkTracking diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif index ac641da775..506ff21641 100644 --- a/source4/setup/provision_configuration.ldif +++ b/source4/setup/provision_configuration.ldif @@ -15,6 +15,8 @@ isDeleted: TRUE isCriticalSystemObject: TRUE systemFlags: -1946157056 +# Extended rights + dn: CN=Extended-Rights,${CONFIGDN} objectClass: top objectClass: container @@ -637,6 +639,8 @@ appliesTo: bf967a8f-0de6-11d0-a285-00aa003049e2 localizationDisplayId: 28 validAccesses: 256 +# Forest updates + dn: CN=ForestUpdates,${CONFIGDN} objectClass: top objectClass: container @@ -645,6 +649,154 @@ dn: CN=Operations,CN=ForestUpdates,${CONFIGDN} objectClass: top objectClass: container +dn: CN=6b800a81-affe-4a15-8e41-6ea0c7aa89e4,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=dd07182c-3174-4c95-902a-d64fee285bbf,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=ffa5ee3c-1405-476d-b344-7ad37d69cc25,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=099f1587-af70-49c6-ab6c-7b3e82be0fe2,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=94fdebc6-8eeb-4640-80de-ec52b9ca17fa,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=1a3f6b15-55f2-4752-ba27-3d38a8232c4d,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=dee21a17-4e8e-4f40-a58c-c0c009b685a7,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=9bd98bb4-4047-4de5-bf4c-7bd1d0f6d21d,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=3fe80fbf-bf39-4773-b5bd-3e5767a30d2d,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=f02915e2-9141-4f73-b8e7-2804662782da,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=39902c52-ef24-4b4b-8033-2c9dfdd173a2,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=20bf09b4-6d0b-4cd1-9c09-4231edf1209b,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=94f238bb-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=94f238bc-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=94f238bd-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=94f238be-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=94f238bf-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=94f238c0-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=eda27b47-e610-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=eda27b48-e610-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=eda27b49-e610-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=eda27b4a-e610-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=26d9c510-e61a-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=26d9c511-e61a-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=3467dae5-dedd-4648-9066-f48ac186b20a,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=33b7ee33-1386-47cf-baa1-b03e06473253,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=e9ee8d55-c2fb-4723-a333-c80ff4dfbf45,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=ccfae63a-7fb5-454c-83ab-0e8e1214974e,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=ad3c7909-b154-4c16-8bf7-2c3a7870bb3d,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=26ad2ebf-f8f5-44a4-b97c-a616c8b9d09a,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=4444c516-f43a-4c12-9c4b-b5c064941d61,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=436a1a4b-f41a-46e6-ac86-427720ef29f3,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=b2b7fb45-f50d-41bc-a73b-8f580f3b636a,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=1bdf6366-c3db-4d0b-b8cb-f99ba9bce20f,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=63c0f51a-067c-4640-8a4f-044fb33f1049,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=dae441c0-366e-482e-98d9-60a99a1898cc,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=7dd09ca6-f0d6-43bf-b7f8-ef348f435617,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + dn: CN=Windows2003Update,CN=ForestUpdates,${CONFIGDN} objectClass: top objectClass: container @@ -662,6 +814,8 @@ description: Quota specifications container msDS-TombstoneQuotaFactor: 100 systemFlags: -2147483648 +# Partitions + dn: CN=Partitions,${CONFIGDN} objectClass: top objectClass: crossRefContainer @@ -669,27 +823,30 @@ systemFlags: -2147483648 msDS-Behavior-Version: ${FOREST_FUNCTIONALALITY} showInAdvancedViewOnly: TRUE +# Partitions for DNS are missing since we don't support AD DNS + dn: CN=Enterprise Configuration,CN=Partitions,${CONFIGDN} objectClass: top objectClass: crossRef -systemFlags: 1 -nCName: ${CONFIGDN} dnsRoot: ${DNSDOMAIN} +nCName: ${CONFIGDN} +systemFlags: 1 dn: CN=Enterprise Schema,CN=Partitions,${CONFIGDN} objectClass: top objectClass: crossRef -systemFlags: 1 -nCName: ${SCHEMADN} dnsRoot: ${DNSDOMAIN} +nCName: ${SCHEMADN} +systemFlags: 1 dn: CN=${DOMAIN},CN=Partitions,${CONFIGDN} objectClass: top objectClass: crossRef -systemFlags: 3 +dnsRoot: ${DNSDOMAIN} nCName: ${DOMAINDN} nETBIOSName: ${DOMAIN} -dnsRoot: ${DNSDOMAIN} +nTMixedDomain: 0 +systemFlags: 3 dn: CN=Physical Locations,${CONFIGDN} objectClass: top @@ -699,11 +856,91 @@ l: Physical Locations tree root # Schema located in "ad-schema/*.txt" +# Services + dn: CN=Services,${CONFIGDN} objectClass: top objectClass: container systemFlags: -2147483648 +dn: CN=MsmqServices,CN=Services,${CONFIGDN} +objectClass: top +objectClass: mSMQEnterpriseSettings +mSMQVersion: 200 + +dn: CN=NetServices,CN=Services,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=Public Key Services,CN=Services,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=Certificate Templates,CN=Public Key Services,CN=Services,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=Enrollment Services,CN=Public Key Services,CN=Services,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=Certification Authorities,CN=Public Key Services,CN=Services,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=AIA,CN=Public Key Services,CN=Services,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=CDP,CN=Public Key Services,CN=Services,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=KRA,CN=Public Key Services,CN=Services,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=OID,CN=Public Key Services,CN=Services,${CONFIGDN} +objectClass: top +objectClass: msPKI-Enterprise-Oid + +dn: CN=RRAS,CN=Services,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=IdentityDictionary,CN=RRAS,CN=Services,${CONFIGDN} +objectClass: top +objectClass: rRASAdministrationDictionary +msRRASVendorAttributeEntry: 311:6:803:RADIUS Accouting +msRRASVendorAttributeEntry: 311:6:802:RADIUS Authentication +msRRASVendorAttributeEntry: 311:6:801:NT Domain Authentication +msRRASVendorAttributeEntry: 311:6:714:Point to point parallel connection +msRRASVendorAttributeEntry: 311:6:713:Point to point serial connection +msRRASVendorAttributeEntry: 311:6:712:Generic LAN +msRRASVendorAttributeEntry: 311:6:711:Generic WAN +msRRASVendorAttributeEntry: 311:6:710:X.25 +msRRASVendorAttributeEntry: 311:6:709:IrDA +msRRASVendorAttributeEntry: 311:6:708:Switched 56 +msRRASVendorAttributeEntry: 311:6:707:SONET +msRRASVendorAttributeEntry: 311:6:706:Modem +msRRASVendorAttributeEntry: 311:6:705:ISDN +msRRASVendorAttributeEntry: 311:6:704:ATM +msRRASVendorAttributeEntry: 311:6:703:Frame Relay +msRRASVendorAttributeEntry: 311:6:702:Layer 2 Tunneling Protocol +msRRASVendorAttributeEntry: 311:6:701:Point-to-Point Tunneling Protocol +msRRASVendorAttributeEntry: 311:6:604:Network Address and Port Translation +msRRASVendorAttributeEntry: 311:6:603:Demand Dial Router +msRRASVendorAttributeEntry: 311:6:602:Remote Access Server +msRRASVendorAttributeEntry: 311:6:601:LAN-to- LAN Router +msRRASVendorAttributeEntry: 311:6:503:AppleTalk Forwarding Enabled +msRRASVendorAttributeEntry: 311:6:502:IPX Forwarding Enabled +msRRASVendorAttributeEntry: 311:6:501:IP Forwarding Enabled +msRRASVendorAttributeEntry: 311:5:2:IPX SAP +msRRASVendorAttributeEntry: 311::5:1:IPX RIP +msRRASVendorAttributeEntry: 311:1:10:IGMP Only +msRRASVendorAttributeEntry: 311:0:13:OSPF +msRRASVendorAttributeEntry: 311:0:8:RIP (version 1 or 2) + dn: CN=Windows NT,CN=Services,${CONFIGDN} objectClass: top objectClass: container @@ -711,7 +948,12 @@ objectClass: container dn: CN=Directory Service,CN=Windows NT,CN=Services,${CONFIGDN} objectClass: top objectClass: nTDSService -sPNMappings: host=ldap,dns,cifs,http +msDS-Other-Settings: DisableVLVSupport=0 +msDS-Other-Settings: DynamicObjectMinTTL=900 +msDS-Other-Settings: DynamicObjectDefaultTTL=86400 +# "sPNMappings" needs to be enhanced when we add features +sPNMappings: host=dns,netlogon,rpc,cifs,wins,http +tombstoneLifetime: 180 dn: CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,${CONFIGDN} objectClass: top @@ -734,6 +976,8 @@ lDAPAdminLimits: MaxConnIdleTime=900 lDAPAdminLimits: InitRecvTimeout=120 lDAPAdminLimits: MaxConnections=5000 +# Sites + dn: CN=Sites,${CONFIGDN} objectClass: top objectClass: sitesContainer @@ -759,6 +1003,7 @@ objectClass: top objectClass: interSiteTransport transportAddressAttribute: dNSHostName transportDLLName: ismip.dll +systemFlags: -2147483648 dn: CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site Transports,CN=Sites,${CONFIGDN} objectClass: top @@ -785,3 +1030,7 @@ objectClass: top objectClass: serversContainer systemFlags: 33554432 +dn: CN=Subnets,CN=Sites,${CONFIGDN} +objectClass: top +objectClass: subnetContainer +systemFlags: -1073741824 diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif index c59c421b7f..639bc96040 100644 --- a/source4/setup/provision_self_join.ldif +++ b/source4/setup/provision_self_join.ldif @@ -1,41 +1,43 @@ -# Join the DC to itself +# Accounts for selfjoin (joins DC to itself) +# Object under "Domain Controllers" dn: CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN} objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer -userAccountControl: 532480 -localPolicyFlags: 0 -primaryGroupID: 516 accountExpires: 9223372036854775807 -sAMAccountName: ${NETBIOSNAME}$ +dNSHostName: ${DNSNAME} +# "frsComputerReferenceBL" doesn't exist since we still miss FRS support +isCriticalSystemObject: TRUE +localPolicyFlags: 0 operatingSystem: Samba operatingSystemVersion: ${SAMBA_VERSION_STRING} -dNSHostName: ${DNSNAME} -userPassword:: ${MACHINEPASS_B64} -servicePrincipalName: HOST/${DNSNAME} +primaryGroupID: 516 +# "rIDSetReferences" doesn't exist since we still miss distributed RIDs +sAMAccountName: ${NETBIOSNAME}$ +# "servicePrincipalName" for FRS doesn't exit since we still miss FRS support +# "servicePrincipalName"s for DNS ("ldap/../ForestDnsZones", +# "ldap/../DomainDnsZones", "DNS/..") don't exist since we don't support AD DNS +servicePrincipalName: GC/${DNSNAME}/${REALM} +servicePrincipalName: HOST/${DNSNAME}/${DOMAIN} servicePrincipalName: HOST/${NETBIOSNAME} +servicePrincipalName: HOST/${DNSNAME} servicePrincipalName: HOST/${DNSNAME}/${REALM} -servicePrincipalName: HOST/${NETBIOSNAME}/${REALM} -servicePrincipalName: HOST/${DNSNAME}/${DOMAIN} -servicePrincipalName: HOST/${NETBIOSNAME}/${DOMAIN} -isCriticalSystemObject: TRUE +# "servicePrincipalName"s with GUIDs are located in +# "provision_self_join_modify.ldif" +servicePrincipalName: ldap/${DNSNAME}/${DOMAIN} +servicePrincipalName: ldap/${NETBIOSNAME} +servicePrincipalName: ldap/${DNSNAME} +servicePrincipalName: ldap/${DNSNAME}/${REALM} +userAccountControl: 532480 +userPassword:: ${MACHINEPASS_B64} -#Provide a account for DNS keytab export -dn: CN=dns,CN=Users,${DOMAINDN} -objectClass: top -objectClass: person -objectClass: organizationalPerson -objectClass: user -description: DNS Service Account -userAccountControl: 514 -accountExpires: 9223372036854775807 -sAMAccountName: dns -servicePrincipalName: DNS/${DNSDOMAIN} -userPassword:: ${DNSPASS_B64} -isCriticalSystemObject: TRUE +# Here are missing the objects for the NTFRS subscription and the RID set since +# we don't support those techniques (FRS, distributed RIDs) yet. + +# Objects under "Configuration/Sites/<Default sitename>/Servers" dn: ${SERVERDN} objectClass: top @@ -48,14 +50,34 @@ dn: CN=NTDS Settings,${SERVERDN} objectClass: top objectClass: applicationSettings objectClass: nTDSDSA -options: 1 -systemFlags: 33554432 dMDLocation: ${SCHEMADN} +hasMasterNCs: ${CONFIGDN} +hasMasterNCs: ${SCHEMADN} +hasMasterNCs: ${DOMAINDN} invocationId: ${INVOCATIONID} msDS-Behavior-Version: ${DOMAIN_CONTROLLER_FUNCTIONALITY} +msDS-HasDomainNCs: ${DOMAINDN} +# "msDS-HasInstantiatedNCs"s for DNS don't exist since we don't support AD DNS +msDS-HasInstantiatedNCs: B:8:0000000D:${CONFIGDN} +msDS-HasInstantiatedNCs: B:8:0000000D:${SCHEMADN} +msDS-HasInstantiatedNCs: B:8:00000005:${DOMAINDN} +# "msDS-hasMasterNCs"s for DNS don't exist since we don't support AD DNS msDS-hasMasterNCs: ${CONFIGDN} msDS-hasMasterNCs: ${SCHEMADN} msDS-hasMasterNCs: ${DOMAINDN} -hasMasterNCs: ${CONFIGDN} -hasMasterNCs: ${SCHEMADN} -hasMasterNCs: ${DOMAINDN} +options: 1 +systemFlags: 33554432 + +# Provides an account for DNS keytab export +dn: CN=dns,CN=Users,${DOMAINDN} +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: user +description: DNS Service Account +userAccountControl: 514 +accountExpires: 9223372036854775807 +sAMAccountName: dns +servicePrincipalName: DNS/${DNSDOMAIN} +userPassword:: ${DNSPASS_B64} +isCriticalSystemObject: TRUE diff --git a/source4/setup/pwsettings b/source4/setup/pwsettings index cd9c07dfb5..6a5e18ef59 100755 --- a/source4/setup/pwsettings +++ b/source4/setup/pwsettings @@ -1,21 +1,32 @@ #!/usr/bin/python # -# Sets password settings (Password complexity, history length, -# minimum password length, the minimum and maximum password age) on a -# Samba4 server +# Sets password settings (Password complexity, history length, minimum password +# length, the minimum and maximum password age) on a Samba4 server # -# Copyright Jelmer Vernooij 2008 -# Copyright Matthias Dieter Wallnoefer 2009 -# Copyright Andrew Kroeger 2009 -# Released under the GNU GPL version 3 or later +# Copyright Matthias Dieter Wallnoefer 2009 +# Copyright Andrew Kroeger 2009 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. # -import os, sys -sys.path.insert(0, os.path.join(os.path.dirname(sys.argv[0]), "../bin/python")) +import sys + +# Find right directory when running from source tree +sys.path.insert(0, "bin/python") import samba.getopt as options import optparse -import pwd import ldb from samba.auth import system_session @@ -29,7 +40,6 @@ parser.add_option_group(options.VersionOptions(parser)) credopts = options.CredentialsOptions(parser) parser.add_option_group(credopts) parser.add_option("--quiet", help="Be quiet", action="store_true") -parser.add_option("-H", help="LDB URL for database or target server", type=str) parser.add_option("--complexity", help="The password complexity (on | off | default). Default is 'on'", type=str) parser.add_option("--history-length", @@ -55,15 +65,9 @@ if len(args) == 0: sys.exit(1) lp = sambaopts.get_loadparm() - creds = credopts.get_credentials(lp) -if opts.H is not None: - url = opts.H -else: - url = lp.get("sam database") - -samdb = SamDB(url=url, session_info=system_session(), +samdb = SamDB(url=lp.get("sam database"), session_info=system_session(), credentials=creds, lp=lp) domain_dn = SamDB.domain_dn(samdb) @@ -79,13 +83,10 @@ try: min_pwd_age = int(abs(int(res[0]["minPwdAge"][0])) / (1e7 * 60 * 60 * 24)) max_pwd_age = int(abs(int(res[0]["maxPwdAge"][0])) / (1e7 * 60 * 60 * 24)) except: + print "ERROR: Could not retrieve password properties!" if args[0] == "show": - print "ERROR: Password informations missing in your AD domain object!" print "So no settings can be displayed!" - sys.exit(1) - else: - print "ERROR: Could not retrieve password properties (used for password complexity setting)" - sys.exit(1) + sys.exit(1) if args[0] == "show": message("Password informations for domain '" + domain_dn + "'") diff --git a/source4/setup/setexpiry b/source4/setup/setexpiry index db7cdd412f..6c6305ceaf 100755 --- a/source4/setup/setexpiry +++ b/source4/setup/setexpiry @@ -1,9 +1,23 @@ #!/usr/bin/python # -# Sets the password expiry for a user on a Samba4 server -# Copyright Andrew Tridgell 2005 -# Copyright Jelmer Vernooij 2008 -# Released under the GNU GPL version 3 or later +# Sets the user password expiry on a Samba4 server +# Copyright Jelmer Vernooij 2008 +# +# Based on the original in EJS: +# Copyright Andrew Tridgell 2005 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. # import sys @@ -13,32 +27,38 @@ sys.path.insert(0, "bin/python") import samba.getopt as options import optparse -from getpass import getpass + from samba.auth import system_session +from samba.samdb import SamDB -parser = optparse.OptionParser("setexpiry [options] <username>") +parser = optparse.OptionParser("setexpiry [username] [options]") sambaopts = options.SambaOptions(parser) parser.add_option_group(sambaopts) parser.add_option_group(options.VersionOptions(parser)) credopts = options.CredentialsOptions(parser) parser.add_option_group(credopts) +parser.add_option("--filter", help="LDAP Filter to set password on", type=str) parser.add_option("--days", help="Days to expiry", type=int) -parser.add_option("--noexpiry", help="Never expire", action="store_true") +parser.add_option("--noexpiry", help="Password does never expire", action="store_true") opts, args = parser.parse_args() -if len(args) == 0: +if (len(args) == 0) and (filter is None): + print "Either the username or '--filter' must be specified!" parser.print_usage() sys.exit(1) -username = args[0] +days = opts.days +if days is None: + days = 0 + +if filter is None: + username = args[0] + filter = "(&(objectClass=user)(sAMAccountName=%s))" % (username) lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) -samdb = sambaopts.get_hostconfig().get_samdb(session_info=system_session(), - credentials=creds) -days = opts.days -if days is None: - days = 0 -samdb.setexpiry(username, days*24*3600, opts.noexpiry) +samdb = SamDB(url=lp.get("sam database"), session_info=system_session(), + credentials=creds, lp=lp) +samdb.setexpiry(filter, days*24*3600, noexpiry=opts.noexpiry) diff --git a/source4/setup/setpassword b/source4/setup/setpassword index 513730d649..d8a2a1144a 100755 --- a/source4/setup/setpassword +++ b/source4/setup/setpassword @@ -20,15 +20,14 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. # -import os, sys +import sys # Find right directory when running from source tree sys.path.insert(0, "bin/python") import samba.getopt as options import optparse -import pwd -import sys + from getpass import getpass from samba.auth import system_session from samba.samdb import SamDB @@ -45,13 +44,6 @@ parser.add_option("--must-change-at-next-login", help="Force password to be chan opts, args = parser.parse_args() -# -# print a message if quiet is not set -# -def message(text): - if not opts.quiet: - print text - filter = opts.filter if (len(args) == 0) and (filter is None): @@ -65,7 +57,7 @@ if password is None: if filter is None: username = args[0] - filter = "(&(objectclass=user)(samAccountName=%s))" % (username) + filter = "(&(objectClass=user)(sAMAccountName=%s))" % (username) lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) |