summaryrefslogtreecommitdiff
path: root/python
AgeCommit message (Collapse)AuthorFilesLines
2013-10-14s4-samldb: Do not allow deletion of objects with RID < 1000Nadezhda Ivanova1-6/+6
According to [MS-SAMR] 3.1.5.7 Delete Pattern we should not allow deletion of security objects with RID < 1000. This patch will prevent deletion of well-known accounts and groups. Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date(master): Mon Oct 14 13:31:50 CEST 2013 on sn-devel-104
2013-10-11samba-tool domain join subdomain: Rework sambadns.py to allow setup of ↵Andrew Bartlett7-44/+80
DomainDNSZone only This skips handling the ForestDNSZone when we are setting up a subdomain. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Oct 11 10:27:49 CEST 2013 on sn-devel-104
2013-10-11join.py: Reconnect to the DC based on the DC name in dnsHostName to allow ↵Andrew Bartlett1-0/+4
connection to IPC$ The treeConnect&X of the GUID name fails against Windows 2003. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-10-11join.py: Remove special full_ncs handling, we only need to updateRefs on an ↵Andrew Bartlett1-7/+2
NC we replicate Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-10-11join.py: Use ctx.forestdns_zone variableAndrew Bartlett1-2/+2
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-10-11join.py: Correct ctx.forestdns_zone and so remove the need for duplicate ↵Andrew Bartlett1-5/+1
repl.replicate() call Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-10-11provision: Remove --username and --password options from samba-tool domain ↵Andrew Bartlett6-57/+26
provision This avoids confusion, because the LDAP backend does not use these, and they do not set the password for the administrator account either! This may break support for the 'existing' backend LDAP backend, but that is nothing more than a stub for future development anyway, and new work in this area should use EXTERNAL in any case. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-10-10provision/sambadns: CN=MicrosoftDNS,CN=System, is relative to DOMAINDNStefan Metzmacher1-8/+8
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Thu Oct 10 10:24:55 CEST 2013 on sn-devel-104
2013-10-10provision: Fix comment to refer to correct file (krb5.conf)Andrew Bartlett1-3/+2
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-26s4-openldap: Restored openldap-related options to the provision scriptNadezhda Ivanova3-12/+48
At the moment they are only available if TEST_LDAP=yes to avoid accidental use as the openldap backend is still failing some tests Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date(master): Thu Sep 26 07:31:05 CEST 2013 on sn-devel-104
2013-09-24dbcheck: Add back the elements that were wrongly removed from CN=Deleted ObjectsAndrew Bartlett1-0/+66
This is the final part of the fix for the issue in Samba 4.1 pre-release tree where we would wrongly delete the Deleted Objects container during a join. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Michael Adam <obnox@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Tue Sep 24 09:31:37 CEST 2013 on sn-devel-104
2013-09-24dbcheck: Ensure to always increase the error_countAndrew Bartlett1-0/+1
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2013-09-23s4-openldap: Added an -H option to delegation scriptNadezhda Ivanova1-11/+63
Also calling delegation locally without credentials, as this is not really necessary and causes selftest errors against the openldap backend. Signed-off-by: Nadezhda Ivanova <nivanova@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-09-23python-samba-tool fsmo: Do not give an error on a successful role transferAndrew Bartlett1-7/+7
Bug: https://bugzilla.samba.org/show_bug.cgi?id=9461 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Mon Sep 23 12:00:24 CEST 2013 on sn-devel-104
2013-09-22dbcheck: Look for and fix the all-zero invocationID in replPropertyMetaDataAndrew Bartlett1-0/+68
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2013-09-19python/drs: Ensure to pass in the local invocationID during the domain joinAndrew Bartlett3-4/+10
This ensures (and asserts) that we never write an all-zero GUID as an invocationID to the database in replPropertyMetaData. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-18OpenLDAP provisioning tweaksHoward Chu1-33/+25
Remove BerkeleyDB-specific setup. Streamline cn=samba partition initialization - allow any backend type for it. Use back-mdb instead of back-ldif for cn=samba partition Signed-off-by: Howard Chu <hyc@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com> Autobuild-User(master): Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date(master): Wed Sep 18 21:39:51 CEST 2013 on sn-devel-104
2013-09-18Use SASL/EXTERNAL over ldapi://Howard Chu1-3/+4
The provision script will map the uid of the user running the script to the samba-admin LDAP DN. Signed-off-by: Howard Chu <hyc@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2013-09-18Give slapd a second to startupHoward Chu1-1/+1
Moving the sleep to the beginning of the loop avoids most occurrences of the "connection failed" message Signed-off-by: Howard Chu <hyc@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com> Autobuild-User(master): Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date(master): Wed Sep 18 07:43:09 CEST 2013 on sn-devel-104
2013-09-17Fix OpenLDAP partition configsHoward Chu1-0/+22
Update to use LMDB backend, BDB is deprecated Update to support DomainDNSZones and ForestDNSZones partitions. Signed-off-by: Howard Chu <hyc@symas.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-09-17dsdb: Use credentials.get_forced_sasl_mech()Andrew Bartlett1-0/+2
This will allow us to force the use of only DIGEST-MD5, for example, which is useful to avoid hitting GSSAPI, SPNEGO or NTLM when talking to OpenLDAP and Cyrus-SASL. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com> Autobuild-User(master): Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date(master): Tue Sep 17 01:41:41 CEST 2013 on sn-devel-104
2013-09-16samba-tool domain provision: Make ldap_backend_startup.sh +x and take ↵Andrew Bartlett1-2/+5
optional arguments Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
2013-09-16samba-tool domain join: Set server role correctly to "active directory ↵Andrew Bartlett1-2/+2
domain controller" We changed the magic string when we reworked the list of server roles. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Mon Sep 16 23:33:41 CEST 2013 on sn-devel-104
2013-09-16samba-tool domian join: Only print adminpass warning on subdomain creationAndrew Bartlett1-0/+3
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-16samba-tool domain join: Add --quite and --verboseAndrew Bartlett2-45/+63
This means we now use logger consistently between doimin join, domain dcpromo and domain provision. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-16join.py: Restore support for joining as a subdomainAndrew Bartlett2-7/+16
This set of patches fixes up the errors that were introduced into the partial support during the past couple of years. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-16join.py: Handle more error cases with useful exceptionsAndrew Bartlett1-1/+9
This will help track down strange failures in the future. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-16samba-tool domain join subdomain: Set "reveal_internals:0" control so we can ↵Andrew Bartlett1-1/+1
see the ncName The issue here is that we create the ncName remotely with DsAddEntry, and then replicate it back. However, at this point the naming context pointed at by the ncName does not exist! The issue is that the extended_dn_out module then hides the link, because it points to a missing object. The reveal_internals control forces this link to be returned, and so we can then find the GUID, to create the domain with the right GUID. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-16join.py: Show which database we failed to find the DN on (clarify local v ↵Andrew Bartlett1-1/+1
remote) Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-16join.py: Handle exceptions when looking for GUID in a DNAndrew Bartlett1-1/+5
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-09-04scripting/join.py: Handle creating the dns-NAME account during a DC joinAndrew Bartlett2-7/+77
This will ensure that the DLZ plugin works out of the box when joining a second Samba DC to the domain. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2013-08-30python/provision: remove unused linklocal=False argument from interface_ips_v6()Stefan Metzmacher1-3/+3
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Bjoern Jacke <bj@sernet.de> Autobuild-User(master): Björn Jacke <bj@sernet.de> Autobuild-Date(master): Fri Aug 30 17:33:58 CEST 2013 on sn-devel-104
2013-08-30python/pyglue: filter out loopback and linklocal addresses unless ↵Stefan Metzmacher1-2/+43
all_interfaces is given Bug: https://bugzilla.samba.org/show_bug.cgi?id=10030 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Bjoern Jacke <bj@sernet.de>
2013-07-30samba-tool dbcheck: Correctly remove deleted DNs in dbcheckAndrew Bartlett1-1/+1
The previous pattern never matched, as it was a typo. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Jul 30 12:55:00 CEST 2013 on sn-devel-104
2013-06-12python samba-tool drs: Correctly print KCC references to deleted serversAndrew Bartlett1-3/+12
Tested against Windows 2008R2, presumably before the KCC ran. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-06-11Remove remaining references to "password level" in the treeAndrew Bartlett1-1/+0
Reviewed-by: Simo Sorce <idra@samba.org> Autobuild-User(master): Simo Sorce <idra@samba.org> Autobuild-Date(master): Tue Jun 11 16:25:54 CEST 2013 on sn-devel-104
2013-06-01dns: Delete dnsNode objects when they are emptyKai Blin1-0/+117
If an update leaves the dnsNode without any entries, the dnsNode object should be deleted. Thanks to Günter Kukkukk for his excellent debugging work on this one. This should fix bug #9559 Signed-off-by: Kai Blin <kai@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2013-05-30samba-tool/dns: Set secure zone update flag after creating new zoneAmitay Isaacs1-3/+9
Windows DC ignores the secure update flag while creating new zone. Windows performs another operation to set the secure update flag. Signed-off-by: Amitay Isaacs <amitay@gmail.com>
2013-05-30samba-tool/dns: Pass on additional flags when creating zonesAmitay Isaacs1-0/+6
Windows DCs require additional flags to be set when creating zones. This fixes bug #9599. Signed-off-by: Amitay Isaacs <amitay@gmail.com>
2013-05-30s4-dns: Support update of SOA recordsAmitay Isaacs1-2/+3
Signed-off-by: Amitay Isaacs <amitay@gmail.com>
2013-05-28s4-dns: Print/Set minimumTTL value in SOA recordAmitay Isaacs1-1/+3
Signed-off-by: Amitay Isaacs <amitay@gmail.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue May 28 08:47:56 CEST 2013 on sn-devel-104
2013-05-16python-samba-tool domain classicupgrade: Use transactions when adding ↵Andrew Bartlett1-31/+69
users/groups/members This should make things a bit faster when importing very large numbers of users as we will not constantly rewrite the indicies on disk. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-16samba-tool dbcheck: Use dsdb.DS_GUID_DELETED_OBJECTS_CONTAINER rather than ↵Andrew Bartlett1-1/+1
the literal value This is better practice. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-16python-samba-tool domain classicupgrade: Correct message about re-promoting BDCsAndrew Bartlett1-1/+1
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-16python-samba-tool domain classicupgrade: Actually Skip domain trust accountsAndrew Bartlett1-0/+1
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-16python-samba-tool domain classicupgrade: Skip machine accounts that do not ↵Andrew Bartlett1-4/+11
end in $ These accounts will not work anyway, as all the domain member lookup code in netlogon expects the $. Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org>
2013-05-16dns: Fix allocation of txt_record in txt record testsKai Blin1-8/+12
Signed-off-by: Kai Blin <kai@samba.org> Reviewed-By: Amitay Isaacs <amitay@gmail.com> Autobuild-User(master): Amitay Isaacs <amitay@samba.org> Autobuild-Date(master): Thu May 16 15:39:15 CEST 2013 on sn-devel-104
2013-05-16dns: more debug debug options in the testsKai Blin1-4/+26
Signed-off-by: Kai Blin <kai@samba.org> Reviewed-By: Amitay Isaacs <amitay@gmail.com>
2013-05-16dns: Add support for MX queriesKai Blin1-0/+43
Due to an oversight, the internal DNS server supports MX record updates, but not MX record queries. Add support for MX queries and tests. This should fix bug #9485 Signed-off-by: Kai Blin <kai@samba.org> Reviewed-By: Amitay Isaacs <amitay@gmail.com>
2013-05-15samba_tool/base.py: Fix typo.Karolin Seeger1-1/+1
Signed-off-by: Karolin Seeger <kseeger@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>