summaryrefslogtreecommitdiff
path: root/source4/setup/provision_self_join.ldif
AgeCommit message (Collapse)AuthorFilesLines
2011-09-08s4-provision: LDIF files to set up AD DNS schemaAmitay Isaacs1-2/+2
This files set up DomainDnsZones and ForestDnsZones partitions and other configuration parameters for replication. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-11-09s4:provision_self_join.ldif - the object SID in AD is called "objectSid"Matthias Dieter Wallnöfer1-1/+1
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Tue Nov 9 13:18:29 UTC 2010 on sn-devel-104
2010-11-09s4:provision - switch to "clearTextPassword" for setting passwordsMatthias Dieter Wallnöfer1-1/+1
This is the default password set/change attribute for s4 specific purposes (otherwise in respect to Windows it's "unicodePwd"). We move away from "userPassword" since on Windows it's not activated by default - and s4 will follow soon.
2010-10-31s4:provision - remove the "servicePrincipalName" creation on the DC objectMatthias Dieter Wallnöfer1-14/+2
This is now done by the "samba_spnupdate" script.
2010-10-13s4:setup/provision_self_join.ldif - let the samldb LDB module fill in ↵Matthias Dieter Wallnöfer1-1/+1
"isCriticalSystemObject" It recognizes it now automatically.
2010-09-12s4:setup/provision_self_join.ldif - now the samldb LDB module detects ↵Matthias Dieter Wallnöfer1-1/+0
automatically that this is a DC account
2010-06-26s4:provision: don't use hardcoded values for 'nextRid' and 'rIDAvailablePool'Stefan Metzmacher1-1/+1
On Windows dcpromo imports nextRid from the local SAM, which means it's not hardcoded to 1000. The initlal rIDAvailablePool starts at nextRid + 100. I also found that the RID Set of the local dc should be created via provision and not at runtime, when the first rid is needed. (Tested with dcpromo on w2k8r2, while disabling the DNS check box). After provision we should have this (assuming nextRid=1000): rIDAllocationPool: 1100-1599 rIDPrevAllocationPool: 1100-1599 rIDUsedPool: 0 rIDNextRID: 1100 rIDAvailablePool: 1600-1073741823 Because provision sets rIDNextRid=1100, the first created account (typically DNS related accounts) will get 1101 as rid! metze
2010-02-21s4:AD content - Add the DFSR objects which exist on Windows Server >= 2008Matthias Dieter Wallnöfer1-2/+2
Those replace the FRS ones.
2010-01-08s4:provision_self_join.ldif - Adapt comment after implementation of ↵Matthias Dieter Wallnöfer1-2/+2
distributed RIDs
2010-01-08s4-provision: don't hard wire the creation of the RID Set objectAndrew Tridgell1-25/+1
We now create it automatically in the samldb module when the first user is created. The creation of the dns user also had to move to the _modify.ldif as it now relies on the fSMO role being setup for the RID Manager Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-01-08s4-provision: the DC object itself needs a fixed objectSIDAndrew Tridgell1-1/+2
We can't allocate a objectSID until we have rIDSetReferences, but that is in the DC object, so we have to force the objectSID of the DC Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-01-08s4-provision: added an initial RID SetAndrew Tridgell1-1/+10
We will allocate RIDs from this set Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2009-10-02s4: Improve provisioning: use relax controlMatthieu Patou1-0/+1
Give the possibility to specify controls when loading ldif files. Relax control is specified by default for all ldb_add_diff (request Andrew B). Set domainguid if specified at the creation of object instead of modifying afterward Allow to specify objectGUID for NTDS object of the first DC this option is used during provision upgrade.
2009-09-17s4:provision - Some rework (continuation)Matthias Dieter Wallnöfer1-30/+52
- Fix up "servicePrincipalNames" attributes on the DC object - Add some informative comments (most in "provision_self_join.ldif") - Add also comments where objects are missing which we may add later when we support the feature (mainly for FRS) - Add "domain updates" objects also under "CN=Configuration" (they exist twice) - Add the default services under "Services" to allow interoperability with some MS client tools - Smaller changes
2009-08-11s4:AD LDIFs - More refactoringMatthias Dieter Wallnöfer1-5/+1
This commit includes: - Additional static object data in SAMBA 4's AD to start supporting of - forest updates, - lost and found, - quotas on DS, - physical locations, - licensing of sites, - subnets, - policies for WMI, - DNS entries in AD - Reordering of provision*.ldif files to be able to find entries and make future additions easier - Add comments in provision*.ldif files to point out where subentries are located when they are based in other LDIFs - Removations of autogenerated "cn" attributes
2009-07-20[SAMBA 4 directory] Refactoring and clean up of directory structureMatthias Dieter Wallnöfer1-3/+2
- Adds more system objects which make sense to have them in SAMBA 4 also to have them when we add more and more services related to the directory (volume support, DFS, replication service, COM...) - Make sure that "isCriticalSystemObject" and "showInAdvancedViewOnly" attributes are set correctly on each object
2009-07-16s4:dsdb Handle dc/domain/forest functional levels properlyAndrew Bartlett1-2/+2
Rather than have the functional levels scattered in 4 different, unconnected locations, the provision script now sets it, and the rootdse module maintains it's copy only as a cached view onto the original values. We also use the functional level to determine if we should store AES Kerberos keys. Andrew Bartlett
2009-07-01[SAMBA 4 directory] Adds the complete "objectclass path" to our self-created ↵Matthias Dieter Wallnöfer1-0/+4
DC object Found after some comparisons against Windows Server 2003 R2.
2008-07-12rename sambaPassword -> userPassword.Andrew Bartlett1-2/+2
This attribute is used in a very similar way (virtual attribute updating the password) in AD on Win2003, so eliminate the difference. This should not cause a problem for on-disk passwords, as by default we do not store the plaintext at all. Andrew Bartlett (This used to be commit 1cf0d751493b709ef6b2234ec8847a7499f48ab3)
2008-04-09Be consistant in using ${SEVERDN}.Andrew Bartlett1-2/+2
This ensures we don't fall out of sync with the provision scripts. Andrew Bartlett (This used to be commit 566c60b4649e2b94bf467993acd4bf72c7368e5a)
2008-04-02Remove references to setting the host GUID, as the repl_meta_dataAndrew Bartlett1-1/+0
module prohibits it anyway. Andrew Bartlett (This used to be commit c5b287c056855892f30fbbf32efe7d65da31ce91)
2008-02-28Users and computers now share the same template.Andrew Bartlett1-2/+0
Slowly work away at the samldb module again, it is clear that AD does not use much of a templating system. samAccountType is managed, as far as I can tell, when groupType or userAccountControl changes. Andrew Bartlett (This used to be commit 447d5a795441aa6beab2f057c5ac1bc3c04e08c4)
2008-01-18Remove default 'showInAdvancedViewOnly' values.Andrew Bartlett1-3/+1
This means we only show and set the values when they are not the values the schema and objectclass module would impose. Andrew Bartlett (This used to be commit c2f2e01357c1b087aa1261fb2cac8687426d5a78)
2008-01-18Don't manually specify instanceID in the template files.Andrew Bartlett1-2/+0
The instanceid module creates this automaticlly, so we don't need this any more. Andrew Bartlett (This used to be commit f6dbdf34e8a790f460b705100e45ee3928b6b1b3)
2007-12-21r26298: Use metze's schema loading code to pre-initialise the schema into theAndrew Bartlett1-1/+6
samdb before we start writing entries into it. In doing so, I realised we still used 'dnsDomain', which is not part of the standard schema (now removed). We also set the 'wrong' side of the linked attributes for the masteredBy on each partition - this is now set in provision_self_join and backlinks via the linked attributes code. When we have the schema loaded, we must also have a valid domain SID loaded, so that the objectclass module works. This required some ejs glue. Andrew Bartlett (This used to be commit b0de08916e8cb59ce6a2ea94bbc9ac0679830ac1)
2007-10-10r25452: Move the creation of the server entry to the self join, as this makesAndrew Bartlett1-0/+23
no sense on a member server. Andrew Bartlett (This used to be commit 70467fa4c5d25b83c48dbbeb8236d5acb4550e77)
2007-10-10r25299: Modify the provision script to take an additional argument: ↵Andrew Bartlett1-0/+18
--server-role This must be set to either 'domain controller', 'domain member' or 'standalone'. The default for the provision now changes to 'standalone'. This is not because Samba4 is particularlly useful in that mode, but because we still want a positive sign from the administrator that we should advertise as a DC. We now do more to ensure the 'standalone' and 'member server' provision output is reasonable, and try not to set odd things into the database that only belong for the DC. Andrew Bartlett (This used to be commit 4cc4ed7719aff712e735628410bd3813c7d6aa40)
2007-10-10r24760: Ensure we base64 encode any password being put into LDIF, to avoidAndrew Bartlett1-1/+1
provision failures when some of the random password values are illigal LDIF. Andrew Bartlett (This used to be commit 876003f6c6466bfd37ec9b05c9a1f1cc83dd9898)
2007-10-10r23815: Thanks to Matthias Wallnoefer <mwallnoefer@yahoo.de> for pointing outAndrew Bartlett1-1/+1
that we had the wrong objectClass for OU=Domain Controllers,${DOMAINDN} (was CN=Domain Controllers,${DOMAINDN}) This fixes both the SAMR server and the LDIF templates. Andrew Bartlett (This used to be commit 625a9e6c041bedc93925bdebb3a60af1dbdde317)
2007-10-10r23720: Allow the member server to work against an LDAP Backend. Another caseAndrew Bartlett1-0/+23
where LDB isn't as strict as OpenLDAP, the self join record contains duplicate servicePrincipalNames once the DNS name and domain name are made equal. (Easier to just skip the useless self-join). Andrew Bartlett (This used to be commit 49ff929be6fcf57721532de13bdd7a7e1617af6f)