Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
S-1-5-20 doesn't exist anymore
|
|
|
|
|
|
now located elsewhere
This is needed due to the new RID/SID distribution system
|
|
Some WSPP locations point out that beginning with Windows Server 2008 they're
also per default present.
Compared against Windows Server 2008
|
|
Compared against Windows Server 2008
|
|
RODC support
RODC = Read Only Domain Controllers
Compared against Windows Server 2008
|
|
Compared against Windows Server 2008
|
|
Sorted according the SID - easier for later enhancements.
|
|
Objects like the "Cryptographic Operators", "Event Log Readers" don't belong
here but into the builtin domain.
|
|
|
|
Our schema is getting a bit cleaner :-)
|
|
(So they can be always found by the SAMLDB module)
|
|
I fixed them up to match with Windows Server 2003. I don't think that the
creation of them in the provision script is needed so I put them in the
"provision_users.ldif" file.
|
|
"samldb" changes
The "provision_users.ldif" file needs some rework to pass against the changed
and improved "samldb" module (see next commit).
|
|
This commit includes:
- Additional static object data in SAMBA 4's AD to start supporting of
- forest updates, - lost and found, - quotas on DS, - physical locations,
- licensing of sites, - subnets, - policies for WMI, - DNS entries in AD
- Reordering of provision*.ldif files to be able to find entries and make future
additions easier
- Add comments in provision*.ldif files to point out where subentries are located
when they are based in other LDIFs
- Removations of autogenerated "cn" attributes
|
|
- Adds more system objects which make sense to have them in SAMBA 4 also to
have them when we add more and more services related to the directory (volume
support, DFS, replication service, COM...)
- Make sure that "isCriticalSystemObject" and "showInAdvancedViewOnly" attributes
are set correctly on each object
|
|
Set the values like Windows Server 2003 R2.
|
|
|
|
value in for group type to avoid sign extension, otherwise we don't
find the builtin groups
(This used to be commit 9b558639395bd8209313bb7ed2e04821c83975a4)
|
|
This attribute is used in a very similar way (virtual attribute
updating the password) in AD on Win2003, so eliminate the difference.
This should not cause a problem for on-disk passwords, as by default
we do not store the plaintext at all.
Andrew Bartlett
(This used to be commit 1cf0d751493b709ef6b2234ec8847a7499f48ab3)
|
|
(This used to be commit be47cc7fdfa3cae0508e564f38b793aa27b6eb92)
|
|
Slowly work away at the samldb module again, it is clear that AD does
not use much of a templating system. samAccountType is managed, as
far as I can tell, when groupType or userAccountControl changes.
Andrew Bartlett
(This used to be commit 447d5a795441aa6beab2f057c5ac1bc3c04e08c4)
|
|
This means we only show and set the values when they are not the
values the schema and objectclass module would impose.
Andrew Bartlett
(This used to be commit c2f2e01357c1b087aa1261fb2cac8687426d5a78)
|
|
The instanceid module creates this automaticlly, so we don't need this
any more.
Andrew Bartlett
(This used to be commit f6dbdf34e8a790f460b705100e45ee3928b6b1b3)
|
|
invalid entries with a linked attribute.
Make Samba4 pass that test, by fixing a silly bug in the
linked_attributes module. (By passing down the 'original' request
structure, tdb would override our handle, and therefore we would never
be called for the 'wait', which collects the errors).
Fix up the provision templates to handle the newly required
referential integrity.
Andrew Bartlett
(This used to be commit 0377d85bbdcb2c4f110b0519005f0d1d10bc0c0b)
|
|
Much more work is still required here, particularly to handle this
better during the provision, and to handle modifies and deletes, but
this is a start.
Andrew Bartlett
(This used to be commit 2ba99d58e9fe1f8e4b15a58a2fdfce6e876f99b4)
|
|
--server-role
This must be set to either 'domain controller', 'domain member' or 'standalone'.
The default for the provision now changes to 'standalone'.
This is not because Samba4 is particularlly useful in that mode, but
because we still want a positive sign from the administrator that we
should advertise as a DC.
We now do more to ensure the 'standalone' and 'member server'
provision output is reasonable, and try not to set odd things into the
database that only belong for the DC.
Andrew Bartlett
(This used to be commit 4cc4ed7719aff712e735628410bd3813c7d6aa40)
|
|
provision failures when some of the random password values are illigal
LDIF.
Andrew Bartlett
(This used to be commit 876003f6c6466bfd37ec9b05c9a1f1cc83dd9898)
|
|
The keytab in dns.keytab should (I hope) do the job.
Andrew Bartlett
(This used to be commit af4d331eef91ef7699d179d15e7337fff1eff7bb)
|
|
with a patch from Andrew Kroeger <andrew@sprocks.gotdns.com>.
The changes to samldb_fill_foreignSecurityPrincipal_object() look much
larger then they are: We just skip all the objectSid generation if the
SID is supplied.
By providing a few more objects, standard dialogs on the clients are
better behaved, for these 'well known' users.
Andrew Bartlett
(This used to be commit 35ee4aee719e69983d650602d1c6422a31600001)
|
|
autogenerated by the objectclass module when the the entries are
added.
Andrew Bartlett
(This used to be commit 79e13349f00d009fc5dd0cdddade379df906ebc8)
|
|
where LDB isn't as strict as OpenLDAP, the self join record contains
duplicate servicePrincipalNames once the DNS name and domain name are
made equal. (Easier to just skip the useless self-join).
Andrew Bartlett
(This used to be commit 49ff929be6fcf57721532de13bdd7a7e1617af6f)
|
|
metze
(This used to be commit 2a6e6a2695b256411c91768c7bee748228e40e6f)
|
|
under ${BASEDN}
metze
(This used to be commit 09ca6aae12d8e10b76971cf269f7c62f228a4c87)
|
|
This lets the modules or backend generate the host and domain GUID,
rather than the randguid() function. These can still be specified
from the command line.
Andrew Bartlett
(This used to be commit 32996ca9d62568006f8bee85a1f2f37c64c04fb5)
|
|
This required changes to the rootDSE module, to allow registration of
partitions. In doing so I renamed the 'register' operation to
'register_control' and 'register_partition', which changed a few more
modules.
Due to the behaviour of certain LDAP servers, we create the baseDN
entry in two parts: Firstly, we allow the admin to export a simple
LDIF file to add to their server. Then we perform a modify to add the
remaining attributes.
To delete all users in partitions, we must now search and delete all
objects in the partition, rather than a simple search from the root.
Against LDAP, this might not delete all objects, so we allow this to
fail.
In testing, we found that the 'Domain Controllers' container was
misnamed, and should be 'CN=', rather than 'OU='.
To avoid the Templates being found in default searches, they have been
moved to CN=Templates from CN=Templates,${BASEDN}.
Andrew Bartlett
(This used to be commit b49a4fbb57f10726bd288fdc9fc95c0cbbe9094a)
|
|
This change is required for compatibility with the OSX client, in
particular, but returning 0x80000002 rather than -2147483646 violates
what LDAP clients expect in general.
Andrew Bartlett
(This used to be commit 81f3cd1c4592d2108d521acd701ed4a70a23c465)
|
|
scripts.
This tests the real module, and avoids duplication.
Andrew Bartlett
(This used to be commit 0859ba59ae00029177cd63366fc59efe8b19c973)
|
|
the main provision logic, so it can also be used as part of the
vampire process
(This used to be commit 95e90169f4e5887ee88116179d96f28f9e06796e)
|
|
than a hardcoded SID.
Fix the samldb module to return the what *was* the nextrid, rather
than the new nextrid (that is for next time).
Andrew Bartlett
(This used to be commit ffe9042e15cebbc7ff1bac90ec39835753d6caa7)
|
|
Because we don't know the syntax of unicodePwd, we want to avoid using
that attribute name. It may cause problems later when we get
replication form windows.
I'm doing this before the tech preview, so we don't get too many
supprises as folks upgrade databases into later versions.
Andrew Bartlett
(This used to be commit 097d9d0b7fd3b1a10fb7039f0671fd459bed2d1b)
|
|
This fixes a problem I had with kpasswd, as the account had 'expired'
due to the old pwdLastSet, hardcoded in the ldif.
Andrew Bartlett
(This used to be commit 1a9992e56a777771ad963af87481ce4ffb8cbf56)
|
|
We need to add to the multivalued objectClass, not ignore it because
the user has already specified a value.
Also rename the template again.
This was caught by more stringent tests in the unicodePwd module, but
breaks MMC. A later commit will sort the objectClass.
Andrew Bartlett
(This used to be commit 0aaff059ba76c7eee86f37bfd74735c1c365d55f)
|
|
Andrew Bartlett
(This used to be commit b3929230b210bd6f0b12f90f48767aa861fd08fa)
|
|
in provision.
Andrew Bartlett
(This used to be commit 8ed61562803f92eb110742ac45cff36c8fe8eca3)
|
|
as users in mmc.
The problem was that the samdb module was auto-adding objectClass=user
for these accounts. That would be OK, as computer accounts are
supposed to be in that objectClass, but mmc cares about the order of
the values in the objectClass attribute! It looks for the last value,
and takes that as the value to use when deciding how to manipulate the record.
So, this patch adds an explicit objectClass=user to the record when it
gets created, which tells the samdb module to not add it as well. That
fixes the order. I suspect we are missing something else though - is
objectClass supposed to auto-sort based on the schema?
(This used to be commit 68c5f807fdb99fd605154d455e61a08293cbd2d0)
|
|
templating support for foreignSecurityPrincipals to the samdb module.
This is an extension beyond what microsoft does, and has been very
useful :-)
The setup scripts have been modified to use the new template, as has
the SAMR and LSA code.
Other cleanups in LSA remove the assumption that the short domain name
is the first component of the realm.
Also add a lot of useful debug messages, to make it clear how/why the
SamSync may have gone wrong. Many of these should perhaps be hooked
into an error string.
Andrew Bartlett
(This used to be commit 1f071b0609c5c83024db1d4a7d04334a932b8253)
|