summaryrefslogtreecommitdiff
path: root/source4/scripting
AgeCommit message (Collapse)AuthorFilesLines
2009-09-26samba.tests.provision: Remove broken become_dc test.Jelmer Vernooij1-25/+1
2009-09-24Add init file for DCE/RPC tests.Jelmer Vernooij1-0/+20
2009-09-24PEP8Jelmer Vernooij6-3/+6
2009-09-24Revert "s4:python fixed subunit tests of dcerpc"Jelmer Vernooij6-0/+0
This reverts commit ffd48a79ee34dc90c0f6f16564c3a0de8b53d3d2.
2009-09-21Initial Implementation of the DS objects access checks.Nadezhda Ivanova1-0/+1
Currently disabled. The search will be greatly modified, also the object tree stuff will be simplified.
2009-09-21Merge branch 'master' of git://git.samba.org/sambaNadezhda Ivanova2-29/+92
2009-09-21s4:kerberos Fix the salt to match Windows 2008.Andrew Bartlett1-1/+1
The previous commit changed the wrong end - we must fix our server, not our client. Andrew Bartlett
2009-09-21s4:provision Make our default salt match our server behaviourAndrew Bartlett1-1/+1
We need to look into salting algorithms further. Andrew Bartlett
2009-09-21s4:provision - Fix up ProvisioningError class as suggested by JelmerMatthias Dieter Wallnöfer1-5/+5
2009-09-21s4:samdb/tools - That should fix now the last failuresMatthias Dieter Wallnöfer1-2/+2
2009-09-20s4:provision Make us Windows 2008 level by defualt againAndrew Bartlett1-4/+5
Also add a note to clarify that this should not be changed without discussion and consensus. We don't want this bouncing around. Paramater support to allow optional selection of Win2003 mode welcomed. Andrew Bartlett
2009-09-20Merge branch 'master' of git://git.samba.org/sambaNadezhda Ivanova1-12/+14
2009-09-20s4:provision Use code to store domain join in 'net join' as wellAndrew Bartlett1-23/+80
This ensures we only have one codepath to store the secret, and therefore that we have a single choke point for setting the saltPrincipal, which we were previously skipping. Andrew Bartlett
2009-09-20s4:provision split provision of DNS zone and self join keytabAndrew Bartlett1-4/+10
2009-09-20Initial implementation of security descriptor creation in DSNadezhda Ivanova1-5/+44
TODO's: ACE sorting and clarifying the inheritance of object specific ace's.
2009-09-20s4:python tools - try to fix some test problemsMatthias Dieter Wallnöfer1-12/+14
2009-09-20Fixed a difference in domain sid type when SID is provided by user.Nadezhda Ivanova1-1/+4
2009-09-20s4:provision: add the 'resolve_oids' on the top of the module stackStefan Metzmacher1-1/+2
metze
2009-09-19s4:samdb.py - further reworkMatthias Dieter Wallnöfer1-12/+9
- I added a comment to the "new user" operation to point out that this works only on s4, since we add also ID mapping entries for winbind there - The "new user" operation adds now the password through the "set password" operation which I find better due to the re-use principle - Remove the word "DC" after "SAMBA 4" in the comment over the "set password" operation since this note and operation applies also to s4 in standalone mode
2009-09-18s4:samdb.py - Unification of the interfacesMatthias Dieter Wallnöfer2-38/+54
- When a user account is requested by a call always the search filter will be passed as argument. This helps us to unify the API - Add/fix some comments; in particular new comments inform the developer which requirements exist if he wants to use calls which manipulate the "userPassword" attribute (On s4 no problem - but on certain domain levels on Windows Server)
2009-09-18s4:minschema/fullschema - add correct header commentsMatthias Dieter Wallnöfer2-2/+2
2009-09-18python: create a script for reorgnizing an LDB file.Matthieu Patou1-0/+60
This script helps to reclaim waisted place.
2009-09-18s4:provision - Bump down the domain and forest level to Windows 2000Matthias Dieter Wallnöfer1-3/+3
- The DC level we keep on Windows Server 2008 R2 (we should call ourself always the newest server type) - The domain/forest level we set to the minimum (Windows 2000 native) to allow all AD DC types (from Windows 2000 on) in our domain - the NT4 "mixed" mode isn't supported by us (discussed on mailing list) -> "nTMixedDomain" is set always to 0 - I'll add a script which allows to bump the DC level (basically sets the "msDS-Behaviour-Version" attributes on the "Partitions/Configuration/DC" and on the "DC" object)
2009-09-17s4:provision - Some rework (continuation)Matthias Dieter Wallnöfer1-3/+4
- Fix up "servicePrincipalNames" attributes on the DC object - Add some informative comments (most in "provision_self_join.ldif") - Add also comments where objects are missing which we may add later when we support the feature (mainly for FRS) - Add "domain updates" objects also under "CN=Configuration" (they exist twice) - Add the default services under "Services" to allow interoperability with some MS client tools - Smaller changes
2009-09-17s4:provision - Some reworkMatthias Dieter Wallnöfer1-3/+4
- Add/change "wellKnownObjects" attributes - Order entries in "provision_basedn_modify.ldif" - Add/change "delete entries" object under BASEDN and CONFIGDN - Fix default version number of "Default domain policy" group policy - Add "domain updates" objects for interoperability with MS AD maintaining tools - Show version number in the "oEMInformation" attribute (suggested by ekacnet) - Smaller fixups
2009-09-17s4/domain behaviour flags: Fix them up in various locationsMatthias Dieter Wallnöfer1-5/+6
Additional notes: - Bump the level to Windows Server 2008 R2 (we should support always the latest version - if we provision ourself) - In "descriptor.c" the check for the "domainFunctionality" level shouldn't be needed: ACL owner groups (not owner user) are supported since Windows 2000 Server (first AD edition) - I took the argument from: http://support.microsoft.com/kb/329194
2009-09-17s4/python: flagsMatthias Dieter Wallnöfer2-9/+83
- Introduce the "userAccountControl", "groupType" and "sAMAccountType" flags - Corrects the "domain/forestFunctionality" and "domainControllerFunctionality" flags
2009-09-16Owner and group defaulting.Nadezhda Ivanova1-0/+1
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-09-14s4:provision Prevent some invalid combinations of realm and domainAndrew Bartlett1-0/+9
We don't do well (even just trying to create duplicate servicePrincipalName values) with some of these combinations, so kill it off early before the administrator thinks it's going to work. Andrew Bartlett
2009-09-14s4: Script to build or rebuild extend DN attributesMatthieu Patou1-0/+141
This script can be used to upgrade a provision that didn't integrate extended dn. It can also be used to add missing extended DN that weren't created during provision.
2009-09-12s4:group policies - upcase directory names of default group policiesMatthias Dieter Wallnöfer1-4/+8
The directory names (MACHINE, USER) are upcased to help locating the default group policies under the SYSVOL dir (the additional ones have only the first letter upcased of those directory names).
2009-09-12s4-scripts: allow setup_dns.sh to take a PRIVATEDIRAndrew Tridgell1-1/+3
2009-09-11s4:group policies - add the domain controller group policyMatthias Dieter Wallnöfer1-8/+28
This patches fixes the last difference between s4 and Windows Server regarding group policy objects: we hadn't the domain controller policy. - Adds the domain controller policy as it is found in the "original" AD - Adds also the right version number in the GPT.INI file for the domain group policy (was missing)
2009-09-11s4-provision: use DNS name, not domain nameAndrew Tridgell1-0/+1
The SPNs end in the DNS domain name
2009-09-11s4/provision: add the nTDSDSA GUID based DNS entries and SPNsAndrew Tridgell1-9/+19
The DNS entries and SPNs are needed for samba<->samba DRS replication. This patch adds them for a standalone DC configure. A separate patch will add them for the vampire configure
2009-09-10Revert "s4: Let the "setpassword" script finally use the ↵Matthias Dieter Wallnöfer2-70/+9
"samdb_set_password" routine" This reverts commit fdd62e9699b181a140292689fcd88a559bc26211. abartlet and I agreed that this isn't the right way to enforce the password policies. Sooner or later we've to control them anyway on the directory level.
2009-09-10s4:provision Only delete SASL mappings with Fedora DS, not OpenLDAPAndrew Bartlett1-31/+30
We need to be more careful to do the cleanup functions for the right backend. In future, these perhaps should be provided by the ProvisionBackend class. Andrew Bartlett
2009-09-10s4: kludge_acl needs to be above repl_meta_dataAndrew Tridgell1-2/+2
We have to bypass kludge_acl in replication as otherwise we aren't allowed access to the password entries
2009-09-10s4/provision: another fix for breakage from b1dabb1133Andrew Tridgell1-6/+8
2009-09-10s4:provision Don't reference provision_backend when using LDBAndrew Bartlett1-1/+3
This broke in Endi's patch for Fedora DS support Andrew Bartlett
2009-09-10s4: Use SASL authentication against Fedora DS.Endi Sukma Dewata1-5/+68
1. During instance creation the provisioning script will import the SASL mapping for samba-admin. It's done here due to missing config schema preventing adding the mapping via ldapi. 2. After that it will use ldif2db to import the cn=samba-admin user as the target of SASL mapping. 3. Then it will start FDS and continue to do provisioning using the Directory Manager with simple bind. 4. The SASL credentials will be stored in secrets.ldb, so when Samba server runs later it will use the SASL credentials. 5. After the provisioning is done (just before stopping the slapd) it will use the DM over direct ldapi to delete the default SASL mappings included automatically by FDS, leaving just the new samba-admin mapping. 6. Also before stopping slapd it will use the DM over direct ldapi to set the ACL on the root entries of the user, configuration, and schema partitions. The ACL will give samba-admin the full access to these partitions. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-09-09Added "admin_session" method.Nadezhda Ivanova1-1/+5
The purpose of admin_session is to be able to execute parts of provisioning as the user Administrator in order to have the correct group and owner in the security descriptors. To be used for provisioning and tests only.
2009-09-08s4:setpassword script - Passwords set by this script are set by the ↵Matthias Dieter Wallnöfer1-1/+1
administrator not the user
2009-09-08s4:provision - Cosmetic: Indent the parameters betterMatthias Dieter Wallnöfer1-36/+60
2009-09-07s4: Let the "setpassword" script finally use the "samdb_set_password" routineMatthias Dieter Wallnöfer2-9/+70
The "setpassword" script should use the "samdb_set_password" call to change the NT user password. Windows Server tests show that "userPassword" is not the right place to save the NT password and does not inherit the password complexity.
2009-09-07s4: Exceptions in "provision.py"Michael Ströder1-11/+15
This looks much nicer than "normal" string exceptions - and fits better in the OO programming style.
2009-09-07s4:Foreign security principals - Fix them upMatthias Dieter Wallnöfer1-19/+0
I fixed them up to match with Windows Server 2003. I don't think that the creation of them in the provision script is needed so I put them in the "provision_users.ldif" file.
2009-09-07s4:provision - Change the module order to match Windows ServerMatthias Dieter Wallnöfer1-1/+1
Tests show that Windows Server seems to do the access checks on the very last moment.
2009-09-07s4:samldb - Major reworkMatthias Dieter Wallnöfer1-32/+0
This fixes up the change of the primary group of a user when using the ADUC console: - When the "primaryGroupId" attribute changes, we have to delete the "member"/"memberOf" attribute reference of the new primary group and add one for the old primary group. - Deny deletion of primary groups according to Windows Server (so we cannot have invalid "primaryGroupID" attributes in our AD). - We cannot add a primary group directly before it isn't a secondary one of a user account. - We cannot add a secondary reference ("member" attribute) when the group has been chosen as primary one. This also removes the LDB templates which are basically overhead now. This should also fix bug #6599.
2009-09-07s4:provision - Add a new delete function only for users and computersMatthias Dieter Wallnöfer1-0/+25
We need this new function to delete users and computers before other objects on reprovisioning. Otherwise primary groups could be deleted before user/computer accounts (which isn't allowed anymore by the reworked "samldb" module).