summaryrefslogtreecommitdiff
path: root/source4/setup/provision.ldif
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r23859: Work to have Group Policy work 'out of the box' in Samba4.Andrew Bartlett1-28/+0
This involves creating the SYSVOL and NETLOGON shares at provision time, and creating the right subdirectories. This also changes the behaviour of lp.get("foo") in ejs - we now return undefined, rather than syntax error, if the parameter doesn't exist (perhaps because the share isn't defined). Andrew Bartlett (This used to be commit 45cadf3bc0d38f6600666511a392e1ce353adee7)
2007-10-10r23815: Thanks to Matthias Wallnoefer <mwallnoefer@yahoo.de> for pointing outAndrew Bartlett1-2/+2
that we had the wrong objectClass for OU=Domain Controllers,${DOMAINDN} (was CN=Domain Controllers,${DOMAINDN}) This fixes both the SAMR server and the LDIF templates. Andrew Bartlett (This used to be commit 625a9e6c041bedc93925bdebb3a60af1dbdde317)
2007-10-10r23027: Make sure the parent object always exists.Andrew Bartlett1-0/+4
Andrew Bartlett (This used to be commit 55c7c0906ccb741ab002f460164ccbbe56b55a98)
2007-10-10r22984: not everyone uses tridgell.net (fortunately)Andrew Tridgell1-1/+1
(This used to be commit f60817d7970ab449ac327f4da312f10350b9636f)
2007-10-10r22972: added the basic ldif needed to support group policies in Samba4. WinXPAndrew Tridgell1-0/+28
clients do correctly see our group policies, but the gpmc admin tool doesn't yet work to allow you to edit the policies (This used to be commit 4c6e01a585f59caf7d2d87833f5eedc018ed8acc)
2007-10-10r20557: use ${DOMAINDN} instead of ${BASEDN}Stefan Metzmacher1-8/+8
metze (This used to be commit 2a6e6a2695b256411c91768c7bee748228e40e6f)
2007-10-10r20553: add ${CONFIGDN} and ${SCHEMADN} instead of using hardcoded pathsStefan Metzmacher1-10/+10
under ${BASEDN} metze (This used to be commit 09ca6aae12d8e10b76971cf269f7c62f228a4c87)
2007-10-10r20468: Patch from Martin Kuehl <kuehl@univention.de> to make it easier to loadAndrew Bartlett1-206/+0
into an exsting LDAP server. (Allow some parts to pre-exist, and try to blow away less data). Andrew Bartlett (This used to be commit 99faff0ad8fa12d596c599064a0125a6b3365134)
2007-10-10r20152: Commit missing files from last night's commit. We no longer maintainAndrew Bartlett1-0/+1
a distinction between PDC and BDC in the configuration files, only as an entry in the ldb. Andrew Bartlett (This used to be commit dc9eee7cb37e4a6828c2cba23b0d836df9eac7b5)
2007-10-10r16264: Add, but do not yet enable, the partitions module.Andrew Bartlett1-39/+4
This required changes to the rootDSE module, to allow registration of partitions. In doing so I renamed the 'register' operation to 'register_control' and 'register_partition', which changed a few more modules. Due to the behaviour of certain LDAP servers, we create the baseDN entry in two parts: Firstly, we allow the admin to export a simple LDIF file to add to their server. Then we perform a modify to add the remaining attributes. To delete all users in partitions, we must now search and delete all objects in the partition, rather than a simple search from the root. Against LDAP, this might not delete all objects, so we allow this to fail. In testing, we found that the 'Domain Controllers' container was misnamed, and should be 'CN=', rather than 'OU='. To avoid the Templates being found in default searches, they have been moved to CN=Templates from CN=Templates,${BASEDN}. Andrew Bartlett (This used to be commit b49a4fbb57f10726bd288fdc9fc95c0cbbe9094a)
2007-10-10r16166: Remove hexidecimal constants from the Samba4 provision files.Andrew Bartlett1-19/+19
This change is required for compatibility with the OSX client, in particular, but returning 0x80000002 rather than -2147483646 violates what LDAP clients expect in general. Andrew Bartlett (This used to be commit 81f3cd1c4592d2108d521acd701ed4a70a23c465)
2007-10-10r14200: Now we have real USN support, don't force the values in the provisionAndrew Bartlett1-52/+0
scripts. This tests the real module, and avoids duplication. Andrew Bartlett (This used to be commit 0859ba59ae00029177cd63366fc59efe8b19c973)
2007-10-10r12943: Generate a SID for the domain join account using the modules, ratherAndrew Bartlett1-1/+1
than a hardcoded SID. Fix the samldb module to return the what *was* the nextrid, rather than the new nextrid (that is for next time). Andrew Bartlett (This used to be commit ffe9042e15cebbc7ff1bac90ec39835753d6caa7)
2007-10-10r12905: add some ldap policiesSimo Sorce1-0/+33
not yet enforced except for the initial connection timeout (This used to be commit fa1ae9a44b0321b8e458bcb7fd1dcc9475b9bad3)
2007-10-10r11496: add a minimal ads-compatible schema into our sam.ldb setup. This isAndrew Tridgell1-0/+2
needed for mmc management of Samba4. (This used to be commit cbbce4fe403efc0b9e63052c2aa1fbb5972f2abe)
2007-10-10r11222: Small provision fixes: canonicalName is now generated, and the DC=Andrew Bartlett1-1/+0
list should be from the dnsdomain (ie lowercae). Andrew Bartlett (This used to be commit 10d692a1c216134b301b5851ce1e71ed93cc6164)
2007-10-10r10855: Put the domain SID in secrets.ldb by default, and add http as aAndrew Bartlett1-1/+1
default SPN alias. Andrew Bartlett (This used to be commit e4fe5802dae544f4dabf0c6d04a55be1144d8820)
2007-10-10r8790: Finish the migration of aliases and privilages with SamSync, by addingAndrew Bartlett1-458/+1
templating support for foreignSecurityPrincipals to the samdb module. This is an extension beyond what microsoft does, and has been very useful :-) The setup scripts have been modified to use the new template, as has the SAMR and LSA code. Other cleanups in LSA remove the assumption that the short domain name is the first component of the realm. Also add a lot of useful debug messages, to make it clear how/why the SamSync may have gone wrong. Many of these should perhaps be hooked into an error string. Andrew Bartlett (This used to be commit 1f071b0609c5c83024db1d4a7d04334a932b8253)
2007-10-10r8740: Extend the rdn_name module to handle adding the rdn as an attribute. ie:Andrew Bartlett1-1/+1
dn: cn=foo,ou=bar objectClass: person implies dn: cn=foo,ou=bar objectClass: person cn: foo (as well as a pile more default attributes) We also correct the case in the attirbute to match that in the DN (win2k3 behaviour) and I have a testsuite (in ejs) to prove it. This module also found a bug in our provision.ldif, so and reduces code complexity in the samdb module. Andrew Bartlett (This used to be commit 0cc58f5c3cce12341ad0f7a90cdd85a3fab786b3)
2007-10-10r8677: The first part of the domain name may not be equal to the netbios ↵Andrew Bartlett1-2/+1
domain name. Remove the use of flatname from the main domain object, we no longer reference it. Andrew Bartlett (This used to be commit 2303e24be74570187b23c3d31d0433263c83ba7e)
2007-10-10r8667: Further simply the provision script, by removing the 'name' attribute.Andrew Bartlett1-51/+0
This is now calculated on the fly for every add and modify. Andrew Bartlett (This used to be commit ed1f2e029c840d2b3ecb49dbe6e8cd67588eeeed)
2007-10-10r8662: Revert change to CN=Cert Publishers, this group still needs toAndrew Bartlett1-0/+2
override the template for these attributes. Andrew Bartlett (This used to be commit 3462cbadb285313dfd88234b144d1921d2bcc880)
2007-10-10r8660: Use templates for the initial provision of user and computer accounts.Andrew Bartlett1-232/+0
This ensures the templating code is used, and also makes it clearer what I need to duplicate in the vampire area. Also fix a silly bug in the template application code (the samdb module) that caused templates to be compleatly unused (my fault, from my commit last night). Andrew Bartlett (This used to be commit 4a8ef7197ff938942832034453f843cb8a50f2d1)
2007-10-10r8650: Use the timestamps and a new objectguid module rather than placingAndrew Bartlett1-201/+0
boilerplate attributes in every entry in provision.ldif. The next step will be to use templates. Andrew Bartlett (This used to be commit 940ed9827f5ab83b668a60a2b0110567dd54c3e2)
2007-10-10r8373: New wildcard matching code.Simo Sorce1-3/+0
This code applies correct ldap standard wildcard matching code removes WILDCARD matching from tdb @ATTRIBUTES, that's now handled independently adds some more tests for wildcard matching fixes dn comparison code in ldb_match (This used to be commit 4eb5863042011988d85092d7dde3d809aa15bd59)
2007-10-10r8225: make nETBIOSName case insensitive, so that lower case netbios domain ↵Stefan Metzmacher1-0/+1
REALM's are working in the hdb-ldb module metze (This used to be commit d24f39a5d746b9eabc4d5f6f6070a85be084d82c)
2007-10-10r8158: - use the timestring for the serial number of the bind zone fileStefan Metzmacher1-2/+2
- add --krbtgtpass and --machinepass options, with them you can easy set them to default values for testing so that you don't need to setup a new keytab file when you rerun provision.pl metze (This used to be commit cfb72455970c182aaba67bf9cf9775a854f143ff)
2007-10-10r8055: added canonicalName to our domainDns recordAndrew Tridgell1-0/+1
(This used to be commit 1ba296b9d0ed1cf0961bdd3cde03f1ce56e1d72b)
2007-10-10r7988: Store the KVNO for the machine account, and set it up in the provision.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit 90e94a4630c24282cd93ee05e258877b38e24a57)
2007-10-10r7900: the existing ltdb indexing code does in fact cope with binary fields, ↵Andrew Tridgell1-1/+1
so re-enable indexing on objectSid (This used to be commit 5781c83ba4ef919520e9668a40aafc8f74fe5700)
2007-10-10r7860: switch our ldb storage format to use a NDR encoded objectSid. This isAndrew Tridgell1-1/+1
quite a large change as we had lots of code that assumed that objectSid was a string in S- format. metze and simo tried to convince me to use NDR format months ago, but I didn't listen, so its fair that I have the pain of fixing all the code now :-) This builds on the ldb_register_samba_handlers() and ldif handlers code I did earlier this week. There are still three parts of this conversion I have not finished: - the ltdb index records need to use the string form of the objectSid (to keep the DNs sane). Until that it done I have disabled indexing on objectSid, which is a big performance hit, but allows us to pass all our tests while I rejig the indexing system to use a externally supplied conversion function - I haven't yet put in place the code that allows client to use the "S-xxx-yyy" form for objectSid in ldap search expressions. w2k3 supports this, presumably by looking for the "S-" prefix to determine what type of objectSid form is being used by the client. I have been working on ways to handle this, but am not happy with them yet so they aren't part of this patch - I need to change pidl to generate push functions that take a "const void *" instead of a "void*" for the data pointer. That will fix the couple of new warnings this code generates. Luckily it many places the conversion to NDR formatted records actually simplified the code, as it means we no longer need as many calls to dom_sid_parse_talloc(). In some places it got more complex, but not many. (This used to be commit d40bc2fa8ddd43560315688eebdbe98bdd02756c)
2007-10-10r7727: we need to mark some attributes as INTEGER, so that the standard searchesAndrew Tridgell1-0/+4
that w2k does work. For example, w2k asks for sAMAccountType=805306369 which will only match if we know its an integer (This used to be commit 941509ee58253b671bb74b2d8d8667cc6a1a4328)
2007-10-10r7499: ensure that the account we run tests as ("Administrator") maps to theAndrew Tridgell1-1/+1
unixName that we are running as in the test suite. Otherwise files are created as a user without any entry in the sam, so the ACL doesn't allow that user read permission when it should. This should fix the RAW-ACLS test in the build farm. (This used to be commit 30445483e4facb0a1d8a5979a2eac6c166193c09)
2007-10-10r6884: the invocationID is only used as objectGUID on the NTDS Settings ↵Stefan Metzmacher1-3/+3
object on the first DC in the forest! metze (This used to be commit 8ea59f23728450cd42c221e69f375d6e390c4a79)
2007-10-10r6883: Move to what simo assures me is the 'correct' way to find the NetBIOSAndrew Bartlett1-6/+46
and long names for a domain. Add servicePrincipalName mapping table (administrator configurable), in the same spot as microsoft uses. Andrew Bartlett (This used to be commit c25e78b4b34384a3a79a920f50f01be696a048ba)
2007-10-10r6868: the @ATTRIBUTES object format has changedSimo Sorce1-3/+6
(This used to be commit 4401c74fbc630d7ab7983c5f901483f3d7ddd8fb)
2007-10-10r6751: dnsDomain should be CASE_INSENSITIVE (winxp will sometimes do a cldap ↵Andrew Tridgell1-0/+1
query with this in uppercase) (This used to be commit f0c37555ff30c3e5ff4680d0b33bc105ebd3a0b1)
2007-10-10r6565: Cludge, cludge, cludge...Andrew Bartlett1-0/+1
We need to pass the 'secure channel type' to the NETLOGON layer, which must match the account type. (Yes, jelmer objects to this inclusion of the kitchen sink ;-) Andrew Bartlett (This used to be commit 8ee208a926d2b15fdc42753b1f9ee586564c6248)
2007-10-10r6207: - clean up source topdirStefan Metzmacher1-0/+1246
- move provision stuff to setup/ - remove unused scripts metze (This used to be commit c35887ca649675f28ca986713a08082420418d74)