summaryrefslogtreecommitdiff
path: root/source4/scripting/python
AgeCommit message (Collapse)AuthorFilesLines
2009-09-17s4/python: flagsMatthias Dieter Wallnöfer2-9/+83
- Introduce the "userAccountControl", "groupType" and "sAMAccountType" flags - Corrects the "domain/forestFunctionality" and "domainControllerFunctionality" flags
2009-09-16Owner and group defaulting.Nadezhda Ivanova1-0/+1
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-09-14s4:provision Prevent some invalid combinations of realm and domainAndrew Bartlett1-0/+9
We don't do well (even just trying to create duplicate servicePrincipalName values) with some of these combinations, so kill it off early before the administrator thinks it's going to work. Andrew Bartlett
2009-09-12s4:group policies - upcase directory names of default group policiesMatthias Dieter Wallnöfer1-4/+8
The directory names (MACHINE, USER) are upcased to help locating the default group policies under the SYSVOL dir (the additional ones have only the first letter upcased of those directory names).
2009-09-11s4:group policies - add the domain controller group policyMatthias Dieter Wallnöfer1-8/+28
This patches fixes the last difference between s4 and Windows Server regarding group policy objects: we hadn't the domain controller policy. - Adds the domain controller policy as it is found in the "original" AD - Adds also the right version number in the GPT.INI file for the domain group policy (was missing)
2009-09-11s4-provision: use DNS name, not domain nameAndrew Tridgell1-0/+1
The SPNs end in the DNS domain name
2009-09-11s4/provision: add the nTDSDSA GUID based DNS entries and SPNsAndrew Tridgell1-9/+19
The DNS entries and SPNs are needed for samba<->samba DRS replication. This patch adds them for a standalone DC configure. A separate patch will add them for the vampire configure
2009-09-10Revert "s4: Let the "setpassword" script finally use the ↵Matthias Dieter Wallnöfer2-70/+9
"samdb_set_password" routine" This reverts commit fdd62e9699b181a140292689fcd88a559bc26211. abartlet and I agreed that this isn't the right way to enforce the password policies. Sooner or later we've to control them anyway on the directory level.
2009-09-10s4:provision Only delete SASL mappings with Fedora DS, not OpenLDAPAndrew Bartlett1-31/+30
We need to be more careful to do the cleanup functions for the right backend. In future, these perhaps should be provided by the ProvisionBackend class. Andrew Bartlett
2009-09-10s4: kludge_acl needs to be above repl_meta_dataAndrew Tridgell1-2/+2
We have to bypass kludge_acl in replication as otherwise we aren't allowed access to the password entries
2009-09-10s4/provision: another fix for breakage from b1dabb1133Andrew Tridgell1-6/+8
2009-09-10s4:provision Don't reference provision_backend when using LDBAndrew Bartlett1-1/+3
This broke in Endi's patch for Fedora DS support Andrew Bartlett
2009-09-10s4: Use SASL authentication against Fedora DS.Endi Sukma Dewata1-5/+68
1. During instance creation the provisioning script will import the SASL mapping for samba-admin. It's done here due to missing config schema preventing adding the mapping via ldapi. 2. After that it will use ldif2db to import the cn=samba-admin user as the target of SASL mapping. 3. Then it will start FDS and continue to do provisioning using the Directory Manager with simple bind. 4. The SASL credentials will be stored in secrets.ldb, so when Samba server runs later it will use the SASL credentials. 5. After the provisioning is done (just before stopping the slapd) it will use the DM over direct ldapi to delete the default SASL mappings included automatically by FDS, leaving just the new samba-admin mapping. 6. Also before stopping slapd it will use the DM over direct ldapi to set the ACL on the root entries of the user, configuration, and schema partitions. The ACL will give samba-admin the full access to these partitions. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-09-09Added "admin_session" method.Nadezhda Ivanova1-1/+5
The purpose of admin_session is to be able to execute parts of provisioning as the user Administrator in order to have the correct group and owner in the security descriptors. To be used for provisioning and tests only.
2009-09-08s4:setpassword script - Passwords set by this script are set by the ↵Matthias Dieter Wallnöfer1-1/+1
administrator not the user
2009-09-08s4:provision - Cosmetic: Indent the parameters betterMatthias Dieter Wallnöfer1-36/+60
2009-09-07s4: Let the "setpassword" script finally use the "samdb_set_password" routineMatthias Dieter Wallnöfer2-9/+70
The "setpassword" script should use the "samdb_set_password" call to change the NT user password. Windows Server tests show that "userPassword" is not the right place to save the NT password and does not inherit the password complexity.
2009-09-07s4: Exceptions in "provision.py"Michael Ströder1-11/+15
This looks much nicer than "normal" string exceptions - and fits better in the OO programming style.
2009-09-07s4:Foreign security principals - Fix them upMatthias Dieter Wallnöfer1-19/+0
I fixed them up to match with Windows Server 2003. I don't think that the creation of them in the provision script is needed so I put them in the "provision_users.ldif" file.
2009-09-07s4:provision - Change the module order to match Windows ServerMatthias Dieter Wallnöfer1-1/+1
Tests show that Windows Server seems to do the access checks on the very last moment.
2009-09-07s4:samldb - Major reworkMatthias Dieter Wallnöfer1-32/+0
This fixes up the change of the primary group of a user when using the ADUC console: - When the "primaryGroupId" attribute changes, we have to delete the "member"/"memberOf" attribute reference of the new primary group and add one for the old primary group. - Deny deletion of primary groups according to Windows Server (so we cannot have invalid "primaryGroupID" attributes in our AD). - We cannot add a primary group directly before it isn't a secondary one of a user account. - We cannot add a secondary reference ("member" attribute) when the group has been chosen as primary one. This also removes the LDB templates which are basically overhead now. This should also fix bug #6599.
2009-09-07s4:provision - Add a new delete function only for users and computersMatthias Dieter Wallnöfer1-0/+25
We need this new function to delete users and computers before other objects on reprovisioning. Otherwise primary groups could be deleted before user/computer accounts (which isn't allowed anymore by the reworked "samldb" module).
2009-09-07s4:setup: Use ms_display_specifiers script for provision.Andrew Kroeger1-2/+5
Changed the provisioning to use the new script to parse the Microsoft-provided DisplaySpecifiers LDIF file.
2009-09-07s4:setup: Added script to parse Microsoft DisplaySpecifiers document.Andrew Kroeger1-0/+189
Created this script based on the existing ms_schema.py script. - Removed some unnecessary transformations that are only necessary for schema processing. - Added capability to parse and properly output base64-encoded values. - Removed unnecessary attributes based on what attributes were present (and also what were explicitly removed) from display_specifiers.ldif.
2009-09-04s4:python fixed subunit tests of dcerpcAndrew Tridgell6-0/+0
The version of the unitest python module in Ubuntu Jaunty doesn't seem to support this many level of subdirectories. Moving the tests up one level solves the problem.
2009-09-03allow setting of the debug level in python from CAndrew Tridgell2-1/+14
2009-09-02repl_meta_data should only be included when we are a DCAndrew Tridgell1-1/+1
2009-09-02move the repl_meta_data module up the ldb module stackAndrew Tridgell1-1/+2
The repl_meta_data module needs to be above the linked_attributes module, to allow linked_attributes to do its magic
2009-08-28s4: Create helpers functions related to provisionMatthieu Patou1-17/+34
One for getting attributes with DN syntax, one for getting forward linked attributes and one for getting the list of partition
2009-08-27s4:python Add helper to get at the domain SIDAndrew Bartlett2-0/+33
2009-08-26s4:provision Ensure that @OPTIONS is mirrored into each partitionAndrew Bartlett1-0/+4
The previous patches to the provision system cut down on the number of reconnects, and disabled the partition handling for part of the process. This means we lost the setting of @OPTIONS as a replicated attribute into the partitions. Andrew Bartlett
2009-08-26s4:provison Add prefixes to ldb using same code a later modify will useAndrew Bartlett3-5/+38
This allows us to test out the code that will do the modify of the prefixMap, and to provide the bindings that may assist a future upgrade script. Andrew Bartlett
2009-08-26s4:provision Only create references to our server DN after the self joinAndrew Bartlett1-0/+10
This will ensure that the GUID can be filled in correctly, and assist us to validate DN targets in the future. Andrew Bartlett
2009-08-25s4:python Fix the reprovision test by deleting 'deleted' objects too.Andrew Bartlett1-6/+9
We were failing because CN=Deleted Objects, which is marked as 'deleted' itself, could not be re-added in a reprovision. Andrew Bartlett
2009-08-17fixed the buildAndrew Tridgell1-3/+5
the changes from Matthias didn't take account of url and lp being None in some ldb python instances in 'make test'
2009-08-17s4: Major rework of the LDB/SAMDB/IDMAP python bindingsMatthias Dieter Wallnöfer4-55/+57
- Centralise the lookups for the default domain (root) in the call "domain_dn" - Reduce the LDB connections attempts ("connect" calls) from three to one - tools should load faster - Make the LDB connection init more like the "ldb_wrap_connection" call - Load the right UTF8 casefolder which fixes up problems with special characters (discovered by me: e.g. small "Umlaute" (ä, ö, ü, ...) in the DN weren't upcased - so records "seemed" lost in TDB)
2009-08-17s4:pyglue Add a wrapper for loading the correct UTF8 casefolderMatthias Dieter Wallnöfer1-0/+20
Needed for special characters (e.g. in German "Umlaute")
2009-08-17Revert "s4:samdb python bindings - we don't need the attributes here"Matthias Dieter Wallnöfer1-1/+2
This reverts commit 53ef426e6f68728763436bd0cd3dd91180c00579. As abartlet pointed out this causes to load all attributes and therefore gives us more here than we need (only the check for the DN)!
2009-08-17sigh - still not rightAndrew Tridgell1-5/+5
2009-08-17fixed up add_foreign againAndrew Tridgell2-23/+23
my last patch was not even close ... I'll leave abartlet to work out how to fix the test case
2009-08-17more fixups from provision changesAndrew Tridgell2-24/+24
Andrew, can you please check this? The idmap.setup_name_mapping tests look totally out of place here. I'm also not sure I captured your intention with the other changes
2009-08-17fixed up some provision errors from the recent changesAndrew Tridgell1-3/+2
2009-08-17s4:provision Add comments to the provision scriptAndrew Bartlett1-1/+10
Hopefully this will explain a bit more whey things are done the way that they are done. Andrew Bartlett
2009-08-17s4:provision Avoid one more call to ltdb_reindexAndrew Bartlett2-6/+19
The Samba4 schema code (called via samdb.set_schema_from_ldb(schema.ldb)) manages the @ATTRIBUTES and @INDEXLIST records, so don't wipe them early. The chances are that we will not change them anyway. Andrew Bartlett
2009-08-17s4:provision Fix existing ldapi:// backend detection exceptionAndrew Bartlett1-1/+1
Found by Oliver Liebel <oliver@itc.li> Andrew Bartlett
2009-08-17s4:provision Make sure that we don't use Kerberos to our LDAP backendAndrew Bartlett1-1/+3
This makes no sense, and just causes trouble - we are aiming for DIGEST-MD5 or NTLM. Andrew Bartlett
2009-08-17s4:provison Print the LDAP backend admin username/passwordAndrew Bartlett1-6/+14
2009-08-17s4: Re-add --ldapadminpass as an option to provisionAndrew Bartlett1-5/+9
This should make setting up LDAP servers more predictable. When not specified, it is random Andrew Bartlett
2009-08-17s4:python Allow 'no such object' on the delete of the DNAndrew Bartlett1-1/+5
This fixes the recursive delete in erase_partitions() For reasons I cannot understand, it is possible to get 'no such object' trying to delete a DN I just search for without error. Oh well... Andrew Bartlett
2009-08-17s4:provision Keep a single transaction for the erase and rebuildAndrew Bartlett1-15/+6
Using a single transaction to both erase the bulk of the data and the rebuild of that data means that the in-memory index list is maintained, and not written out to disk until it is all compleated. All the writes then occour at the end. Andrew Bartlett