| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
This script helps to reclaim waisted place.
|
|
- The DC level we keep on Windows Server 2008 R2 (we should call ourself
always the newest server type)
- The domain/forest level we set to the minimum (Windows 2000 native) to
allow all AD DC types (from Windows 2000 on) in our domain - the NT4 "mixed"
mode isn't supported by us (discussed on mailing list) -> "nTMixedDomain" is
set always to 0
- I'll add a script which allows to bump the DC level (basically sets the
"msDS-Behaviour-Version" attributes on the "Partitions/Configuration/DC" and
on the "DC" object)
|
|
- Fix up "servicePrincipalNames" attributes on the DC object
- Add some informative comments (most in "provision_self_join.ldif")
- Add also comments where objects are missing which we may add later when we
support the feature (mainly for FRS)
- Add "domain updates" objects also under "CN=Configuration" (they exist twice)
- Add the default services under "Services" to allow interoperability with some
MS client tools
- Smaller changes
|
|
- Add/change "wellKnownObjects" attributes
- Order entries in "provision_basedn_modify.ldif"
- Add/change "delete entries" object under BASEDN and CONFIGDN
- Fix default version number of "Default domain policy" group policy
- Add "domain updates" objects for interoperability with MS AD maintaining tools
- Show version number in the "oEMInformation" attribute (suggested by ekacnet)
- Smaller fixups
|
|
Additional notes:
- Bump the level to Windows Server 2008 R2 (we should support always the latest
version - if we provision ourself)
- In "descriptor.c" the check for the "domainFunctionality" level shouldn't be
needed: ACL owner groups (not owner user) are supported since Windows 2000
Server (first AD edition)
- I took the argument from: http://support.microsoft.com/kb/329194
|
|
- Introduce the "userAccountControl", "groupType" and "sAMAccountType" flags
- Corrects the "domain/forestFunctionality" and "domainControllerFunctionality" flags
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
We don't do well (even just trying to create duplicate
servicePrincipalName values) with some of these combinations, so kill
it off early before the administrator thinks it's going to work.
Andrew Bartlett
|
|
This script can be used to upgrade a provision that didn't integrate extended dn.
It can also be used to add missing extended DN that weren't created during provision.
|
|
The directory names (MACHINE, USER) are upcased to help locating the default
group policies under the SYSVOL dir (the additional ones have only the first
letter upcased of those directory names).
|
|
|
|
This patches fixes the last difference between s4 and Windows Server regarding
group policy objects: we hadn't the domain controller policy.
- Adds the domain controller policy as it is found in the "original" AD
- Adds also the right version number in the GPT.INI file for the domain group
policy (was missing)
|
|
The SPNs end in the DNS domain name
|
|
The DNS entries and SPNs are needed for samba<->samba DRS
replication. This patch adds them for a standalone DC configure. A
separate patch will add them for the vampire configure
|
|
"samdb_set_password" routine"
This reverts commit fdd62e9699b181a140292689fcd88a559bc26211.
abartlet and I agreed that this isn't the right way to enforce the password
policies. Sooner or later we've to control them anyway on the directory level.
|
|
We need to be more careful to do the cleanup functions for the right
backend. In future, these perhaps should be provided by the
ProvisionBackend class.
Andrew Bartlett
|
|
We have to bypass kludge_acl in replication as otherwise we aren't
allowed access to the password entries
|
|
|
|
This broke in Endi's patch for Fedora DS support
Andrew Bartlett
|
|
1. During instance creation the provisioning script will import the SASL
mapping for samba-admin. It's done here due to missing config schema
preventing adding the mapping via ldapi.
2. After that it will use ldif2db to import the cn=samba-admin user as
the target of SASL mapping.
3. Then it will start FDS and continue to do provisioning using the
Directory Manager with simple bind.
4. The SASL credentials will be stored in secrets.ldb, so when Samba
server runs later it will use the SASL credentials.
5. After the provisioning is done (just before stopping the slapd)
it will use the DM over direct ldapi to delete the default SASL
mappings included automatically by FDS, leaving just the new
samba-admin mapping.
6. Also before stopping slapd it will use the DM over direct ldapi to
set the ACL on the root entries of the user, configuration, and
schema partitions. The ACL will give samba-admin the full access
to these partitions.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
The purpose of admin_session is to be able to execute parts of provisioning
as the user Administrator in order to have the correct group and owner in the
security descriptors. To be used for provisioning and tests only.
|
|
administrator not the user
|
|
|
|
The "setpassword" script should use the "samdb_set_password" call to change
the NT user password. Windows Server tests show that "userPassword" is not the
right place to save the NT password and does not inherit the password complexity.
|
|
This looks much nicer than "normal" string exceptions - and fits better in the OO
programming style.
|
|
I fixed them up to match with Windows Server 2003. I don't think that the
creation of them in the provision script is needed so I put them in the
"provision_users.ldif" file.
|
|
Tests show that Windows Server seems to do the access checks on the very last moment.
|
|
This fixes up the change of the primary group of a user when using the ADUC
console:
- When the "primaryGroupId" attribute changes, we have to delete the
"member"/"memberOf" attribute reference of the new primary group and add one
for the old primary group.
- Deny deletion of primary groups according to Windows Server (so we cannot
have invalid "primaryGroupID" attributes in our AD).
- We cannot add a primary group directly before it isn't a secondary one of a
user account.
- We cannot add a secondary reference ("member" attribute) when the group has
been chosen as primary one.
This also removes the LDB templates which are basically overhead now.
This should also fix bug #6599.
|
|
We need this new function to delete users and computers before other objects
on reprovisioning. Otherwise primary groups could be deleted before user/computer
accounts (which isn't allowed anymore by the reworked "samldb" module).
|
|
|
|
this is needed for the _msdcs zone
|
|
Changed the provisioning to use the new script to parse the Microsoft-provided
DisplaySpecifiers LDIF file.
|
|
Created this script based on the existing ms_schema.py script.
- Removed some unnecessary transformations that are only necessary for schema
processing.
- Added capability to parse and properly output base64-encoded values.
- Removed unnecessary attributes based on what attributes were present (and also
what were explicitly removed) from display_specifiers.ldif.
|
|
This is a perl script that does TSIG-GSS DNS updates against a AD
DC. The bind 9.5 nsupdate still doesn't seem to work with TSIG-GSS,
and we need a way to do DNS updates when we vampire a domain, so I
revived this ancient perl script and added a wrapper script that can
update DNS entries using our machine account credentials
|
|
The version of the unitest python module in Ubuntu Jaunty doesn't seem
to support this many level of subdirectories. Moving the tests up one
level solves the problem.
|
|
|
|
|
|
The repl_meta_data module needs to be above the linked_attributes
module, to allow linked_attributes to do its magic
|
|
One for getting attributes with DN syntax, one for getting forward
linked attributes and one for getting the list of partition
|
|
|
|
The previous patches to the provision system cut down on the number of
reconnects, and disabled the partition handling for part of the
process. This means we lost the setting of @OPTIONS as a replicated
attribute into the partitions.
Andrew Bartlett
|
|
This allows us to test out the code that will do the modify of the
prefixMap, and to provide the bindings that may assist a future
upgrade script.
Andrew Bartlett
|
|
This will ensure that the GUID can be filled in correctly, and assist
us to validate DN targets in the future.
Andrew Bartlett
|
|
We were failing because CN=Deleted Objects, which is marked as
'deleted' itself, could not be re-added in a reprovision.
Andrew Bartlett
|
|
the changes from Matthias didn't take account of url and lp being None
in some ldb python instances in 'make test'
|
|
- Centralise the lookups for the default domain (root) in the call "domain_dn"
- Reduce the LDB connections attempts ("connect" calls) from three to one
- tools should load faster
- Make the LDB connection init more like the "ldb_wrap_connection" call
- Load the right UTF8 casefolder which fixes up problems with special characters
(discovered by me: e.g. small "Umlaute" (ä, ö, ü, ...) in the DN weren't upcased
- so records "seemed" lost in TDB)
|
|
Needed for special characters (e.g. in German "Umlaute")
|
|
This reverts commit 53ef426e6f68728763436bd0cd3dd91180c00579.
As abartlet pointed out this causes to load all attributes and therefore gives
us more here than we need (only the check for the DN)!
|
|
|
|
my last patch was not even close ...
I'll leave abartlet to work out how to fix the test case
|
