Age | Commit message (Collapse) | Author | Files | Lines |
|
Andrew Bartlett
(This used to be commit 55c7c0906ccb741ab002f460164ccbbe56b55a98)
|
|
(This used to be commit f60817d7970ab449ac327f4da312f10350b9636f)
|
|
clients do correctly see our group policies, but the gpmc admin tool
doesn't yet work to allow you to edit the policies
(This used to be commit 4c6e01a585f59caf7d2d87833f5eedc018ed8acc)
|
|
metze
(This used to be commit 2a6e6a2695b256411c91768c7bee748228e40e6f)
|
|
under ${BASEDN}
metze
(This used to be commit 09ca6aae12d8e10b76971cf269f7c62f228a4c87)
|
|
into an exsting LDAP server. (Allow some parts to pre-exist, and try
to blow away less data).
Andrew Bartlett
(This used to be commit 99faff0ad8fa12d596c599064a0125a6b3365134)
|
|
a distinction between PDC and BDC in the configuration files, only as
an entry in the ldb.
Andrew Bartlett
(This used to be commit dc9eee7cb37e4a6828c2cba23b0d836df9eac7b5)
|
|
This required changes to the rootDSE module, to allow registration of
partitions. In doing so I renamed the 'register' operation to
'register_control' and 'register_partition', which changed a few more
modules.
Due to the behaviour of certain LDAP servers, we create the baseDN
entry in two parts: Firstly, we allow the admin to export a simple
LDIF file to add to their server. Then we perform a modify to add the
remaining attributes.
To delete all users in partitions, we must now search and delete all
objects in the partition, rather than a simple search from the root.
Against LDAP, this might not delete all objects, so we allow this to
fail.
In testing, we found that the 'Domain Controllers' container was
misnamed, and should be 'CN=', rather than 'OU='.
To avoid the Templates being found in default searches, they have been
moved to CN=Templates from CN=Templates,${BASEDN}.
Andrew Bartlett
(This used to be commit b49a4fbb57f10726bd288fdc9fc95c0cbbe9094a)
|
|
This change is required for compatibility with the OSX client, in
particular, but returning 0x80000002 rather than -2147483646 violates
what LDAP clients expect in general.
Andrew Bartlett
(This used to be commit 81f3cd1c4592d2108d521acd701ed4a70a23c465)
|
|
scripts.
This tests the real module, and avoids duplication.
Andrew Bartlett
(This used to be commit 0859ba59ae00029177cd63366fc59efe8b19c973)
|
|
than a hardcoded SID.
Fix the samldb module to return the what *was* the nextrid, rather
than the new nextrid (that is for next time).
Andrew Bartlett
(This used to be commit ffe9042e15cebbc7ff1bac90ec39835753d6caa7)
|
|
not yet enforced except for the initial connection timeout
(This used to be commit fa1ae9a44b0321b8e458bcb7fd1dcc9475b9bad3)
|
|
needed for mmc management of Samba4.
(This used to be commit cbbce4fe403efc0b9e63052c2aa1fbb5972f2abe)
|
|
list should be from the dnsdomain (ie lowercae).
Andrew Bartlett
(This used to be commit 10d692a1c216134b301b5851ce1e71ed93cc6164)
|
|
default SPN alias.
Andrew Bartlett
(This used to be commit e4fe5802dae544f4dabf0c6d04a55be1144d8820)
|
|
templating support for foreignSecurityPrincipals to the samdb module.
This is an extension beyond what microsoft does, and has been very
useful :-)
The setup scripts have been modified to use the new template, as has
the SAMR and LSA code.
Other cleanups in LSA remove the assumption that the short domain name
is the first component of the realm.
Also add a lot of useful debug messages, to make it clear how/why the
SamSync may have gone wrong. Many of these should perhaps be hooked
into an error string.
Andrew Bartlett
(This used to be commit 1f071b0609c5c83024db1d4a7d04334a932b8253)
|
|
dn: cn=foo,ou=bar
objectClass: person
implies
dn: cn=foo,ou=bar
objectClass: person
cn: foo
(as well as a pile more default attributes)
We also correct the case in the attirbute to match that in the DN
(win2k3 behaviour) and I have a testsuite (in ejs) to prove it.
This module also found a bug in our provision.ldif, so and reduces
code complexity in the samdb module.
Andrew Bartlett
(This used to be commit 0cc58f5c3cce12341ad0f7a90cdd85a3fab786b3)
|
|
domain name.
Remove the use of flatname from the main domain object, we no longer
reference it.
Andrew Bartlett
(This used to be commit 2303e24be74570187b23c3d31d0433263c83ba7e)
|
|
This is now calculated on the fly for every add and modify.
Andrew Bartlett
(This used to be commit ed1f2e029c840d2b3ecb49dbe6e8cd67588eeeed)
|
|
override the template for these attributes.
Andrew Bartlett
(This used to be commit 3462cbadb285313dfd88234b144d1921d2bcc880)
|
|
This ensures the templating code is used, and also makes it clearer
what I need to duplicate in the vampire area.
Also fix a silly bug in the template application code (the samdb
module) that caused templates to be compleatly unused (my fault, from
my commit last night).
Andrew Bartlett
(This used to be commit 4a8ef7197ff938942832034453f843cb8a50f2d1)
|
|
boilerplate attributes in every entry in provision.ldif.
The next step will be to use templates.
Andrew Bartlett
(This used to be commit 940ed9827f5ab83b668a60a2b0110567dd54c3e2)
|
|
This code applies correct ldap standard wildcard matching code
removes WILDCARD matching from tdb @ATTRIBUTES, that's now handled independently
adds some more tests for wildcard matching
fixes dn comparison code in ldb_match
(This used to be commit 4eb5863042011988d85092d7dde3d809aa15bd59)
|
|
REALM's
are working in the hdb-ldb module
metze
(This used to be commit d24f39a5d746b9eabc4d5f6f6070a85be084d82c)
|
|
- add --krbtgtpass and --machinepass options, with them you can easy set them to default
values for testing so that you don't need to setup a new keytab file when you rerun provision.pl
metze
(This used to be commit cfb72455970c182aaba67bf9cf9775a854f143ff)
|
|
(This used to be commit 1ba296b9d0ed1cf0961bdd3cde03f1ce56e1d72b)
|
|
Andrew Bartlett
(This used to be commit 90e94a4630c24282cd93ee05e258877b38e24a57)
|
|
so re-enable
indexing on objectSid
(This used to be commit 5781c83ba4ef919520e9668a40aafc8f74fe5700)
|
|
quite a large change as we had lots of code that assumed that
objectSid was a string in S- format.
metze and simo tried to convince me to use NDR format months ago, but
I didn't listen, so its fair that I have the pain of fixing all the
code now :-)
This builds on the ldb_register_samba_handlers() and ldif handlers
code I did earlier this week. There are still three parts of this
conversion I have not finished:
- the ltdb index records need to use the string form of the objectSid
(to keep the DNs sane). Until that it done I have disabled indexing on
objectSid, which is a big performance hit, but allows us to pass
all our tests while I rejig the indexing system to use a externally
supplied conversion function
- I haven't yet put in place the code that allows client to use the
"S-xxx-yyy" form for objectSid in ldap search expressions. w2k3
supports this, presumably by looking for the "S-" prefix to
determine what type of objectSid form is being used by the client. I
have been working on ways to handle this, but am not happy with
them yet so they aren't part of this patch
- I need to change pidl to generate push functions that take a
"const void *" instead of a "void*" for the data pointer. That will
fix the couple of new warnings this code generates.
Luckily it many places the conversion to NDR formatted records
actually simplified the code, as it means we no longer need as many
calls to dom_sid_parse_talloc(). In some places it got more complex,
but not many.
(This used to be commit d40bc2fa8ddd43560315688eebdbe98bdd02756c)
|
|
that w2k does work. For example, w2k asks for sAMAccountType=805306369 which
will only match if we know its an integer
(This used to be commit 941509ee58253b671bb74b2d8d8667cc6a1a4328)
|
|
unixName that we are running as in the test suite. Otherwise files are
created as a user without any entry in the sam, so the ACL doesn't
allow that user read permission when it should. This should fix the
RAW-ACLS test in the build farm.
(This used to be commit 30445483e4facb0a1d8a5979a2eac6c166193c09)
|
|
object on the
first DC in the forest!
metze
(This used to be commit 8ea59f23728450cd42c221e69f375d6e390c4a79)
|
|
and long names for a domain.
Add servicePrincipalName mapping table (administrator configurable),
in the same spot as microsoft uses.
Andrew Bartlett
(This used to be commit c25e78b4b34384a3a79a920f50f01be696a048ba)
|
|
(This used to be commit 4401c74fbc630d7ab7983c5f901483f3d7ddd8fb)
|
|
query with this
in uppercase)
(This used to be commit f0c37555ff30c3e5ff4680d0b33bc105ebd3a0b1)
|
|
We need to pass the 'secure channel type' to the NETLOGON layer, which
must match the account type.
(Yes, jelmer objects to this inclusion of the kitchen sink ;-)
Andrew Bartlett
(This used to be commit 8ee208a926d2b15fdc42753b1f9ee586564c6248)
|
|
- move provision stuff to setup/
- remove unused scripts
metze
(This used to be commit c35887ca649675f28ca986713a08082420418d74)
|