Age | Commit message (Collapse) | Author | Files | Lines |
|
This allows this control to be specified as critical. We support the
control because we choose to always be durable in our transactions.
We really, really need a 'duplicate request' API, as at the
moment we can't do this without a large, error-prone set of code that
cannot cope with new request fields or types.
Andrew Bartlett
|
|
(allows addition of systemOnly classes)
|
|
Give the possibility to specify controls when loading ldif files.
Relax control is specified by default for all ldb_add_diff (request Andrew B).
Set domainguid if specified at the creation of object instead of modifying afterward
Allow to specify objectGUID for NTDS object of the first DC this option is used during provision upgrade.
|
|
Windows 2003 Native
|
|
|
|
This reverts commit 11a7842854c0be8c427a2dbf0a8fc3761cda6298.
abartlet claims that this patch could lead to data loss (look at technical
mailing list)
|
|
function levels
Adds a parameter "--function-level" which allows to specify the domain and
forest function level.
|
|
|
|
|
|
|
|
This reverts commit ffd48a79ee34dc90c0f6f16564c3a0de8b53d3d2.
|
|
Currently disabled. The search will be greatly modified,
also the object tree stuff will be simplified.
|
|
|
|
The previous commit changed the wrong end - we must fix our server,
not our client.
Andrew Bartlett
|
|
We need to look into salting algorithms further.
Andrew Bartlett
|
|
|
|
|
|
Also add a note to clarify that this should not be changed without
discussion and consensus. We don't want this bouncing around.
Paramater support to allow optional selection of Win2003 mode welcomed.
Andrew Bartlett
|
|
|
|
This ensures we only have one codepath to store the secret, and
therefore that we have a single choke point for setting the
saltPrincipal, which we were previously skipping.
Andrew Bartlett
|
|
|
|
TODO's:
ACE sorting and clarifying the inheritance of object specific ace's.
|
|
|
|
|
|
metze
|
|
- I added a comment to the "new user" operation to point out that this works
only on s4, since we add also ID mapping entries for winbind there
- The "new user" operation adds now the password through the "set password"
operation which I find better due to the re-use principle
- Remove the word "DC" after "SAMBA 4" in the comment over the "set password"
operation since this note and operation applies also to s4 in standalone mode
|
|
- When a user account is requested by a call always the search filter will be
passed as argument. This helps us to unify the API
- Add/fix some comments; in particular new comments inform the developer which
requirements exist if he wants to use calls which manipulate the
"userPassword" attribute (On s4 no problem - but on certain domain levels on
Windows Server)
|
|
|
|
This script helps to reclaim waisted place.
|
|
- The DC level we keep on Windows Server 2008 R2 (we should call ourself
always the newest server type)
- The domain/forest level we set to the minimum (Windows 2000 native) to
allow all AD DC types (from Windows 2000 on) in our domain - the NT4 "mixed"
mode isn't supported by us (discussed on mailing list) -> "nTMixedDomain" is
set always to 0
- I'll add a script which allows to bump the DC level (basically sets the
"msDS-Behaviour-Version" attributes on the "Partitions/Configuration/DC" and
on the "DC" object)
|
|
- Fix up "servicePrincipalNames" attributes on the DC object
- Add some informative comments (most in "provision_self_join.ldif")
- Add also comments where objects are missing which we may add later when we
support the feature (mainly for FRS)
- Add "domain updates" objects also under "CN=Configuration" (they exist twice)
- Add the default services under "Services" to allow interoperability with some
MS client tools
- Smaller changes
|
|
- Add/change "wellKnownObjects" attributes
- Order entries in "provision_basedn_modify.ldif"
- Add/change "delete entries" object under BASEDN and CONFIGDN
- Fix default version number of "Default domain policy" group policy
- Add "domain updates" objects for interoperability with MS AD maintaining tools
- Show version number in the "oEMInformation" attribute (suggested by ekacnet)
- Smaller fixups
|
|
Additional notes:
- Bump the level to Windows Server 2008 R2 (we should support always the latest
version - if we provision ourself)
- In "descriptor.c" the check for the "domainFunctionality" level shouldn't be
needed: ACL owner groups (not owner user) are supported since Windows 2000
Server (first AD edition)
- I took the argument from: http://support.microsoft.com/kb/329194
|
|
- Introduce the "userAccountControl", "groupType" and "sAMAccountType" flags
- Corrects the "domain/forestFunctionality" and "domainControllerFunctionality" flags
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
We don't do well (even just trying to create duplicate
servicePrincipalName values) with some of these combinations, so kill
it off early before the administrator thinks it's going to work.
Andrew Bartlett
|
|
This script can be used to upgrade a provision that didn't integrate extended dn.
It can also be used to add missing extended DN that weren't created during provision.
|
|
The directory names (MACHINE, USER) are upcased to help locating the default
group policies under the SYSVOL dir (the additional ones have only the first
letter upcased of those directory names).
|
|
|
|
This patches fixes the last difference between s4 and Windows Server regarding
group policy objects: we hadn't the domain controller policy.
- Adds the domain controller policy as it is found in the "original" AD
- Adds also the right version number in the GPT.INI file for the domain group
policy (was missing)
|
|
The SPNs end in the DNS domain name
|
|
The DNS entries and SPNs are needed for samba<->samba DRS
replication. This patch adds them for a standalone DC configure. A
separate patch will add them for the vampire configure
|
|
"samdb_set_password" routine"
This reverts commit fdd62e9699b181a140292689fcd88a559bc26211.
abartlet and I agreed that this isn't the right way to enforce the password
policies. Sooner or later we've to control them anyway on the directory level.
|
|
We need to be more careful to do the cleanup functions for the right
backend. In future, these perhaps should be provided by the
ProvisionBackend class.
Andrew Bartlett
|
|
We have to bypass kludge_acl in replication as otherwise we aren't
allowed access to the password entries
|
|
|
|
This broke in Endi's patch for Fedora DS support
Andrew Bartlett
|
|
1. During instance creation the provisioning script will import the SASL
mapping for samba-admin. It's done here due to missing config schema
preventing adding the mapping via ldapi.
2. After that it will use ldif2db to import the cn=samba-admin user as
the target of SASL mapping.
3. Then it will start FDS and continue to do provisioning using the
Directory Manager with simple bind.
4. The SASL credentials will be stored in secrets.ldb, so when Samba
server runs later it will use the SASL credentials.
5. After the provisioning is done (just before stopping the slapd)
it will use the DM over direct ldapi to delete the default SASL
mappings included automatically by FDS, leaving just the new
samba-admin mapping.
6. Also before stopping slapd it will use the DM over direct ldapi to
set the ACL on the root entries of the user, configuration, and
schema partitions. The ACL will give samba-admin the full access
to these partitions.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
The purpose of admin_session is to be able to execute parts of provisioning
as the user Administrator in order to have the correct group and owner in the
security descriptors. To be used for provisioning and tests only.
|
|
administrator not the user
|