summaryrefslogtreecommitdiff
path: root/source4/setup/provision_users.ldif
AgeCommit message (Collapse)AuthorFilesLines
2010-05-13s4:provision_users.ldif - fix up and reorder the well-known security principalsMatthias Dieter Wallnöfer1-5/+10
2010-05-13s4:provision_users.ldif - On Windows Server >= 2008 security principal ↵Matthias Dieter Wallnöfer1-6/+0
S-1-5-20 doesn't exist anymore
2010-05-13s4:provision_users.ldif - fix up Administrator's "userAccountControl"Matthias Dieter Wallnöfer1-1/+1
2010-05-13s4:provision_users.ldif - Fix typos in user/group objectsMatthias Dieter Wallnöfer1-13/+13
2010-01-14s4:provision_users.ldif - Add a comment that some objects under "Users" are ↵Matthias Dieter Wallnöfer1-0/+3
now located elsewhere This is needed due to the new RID/SID distribution system
2010-01-14s4:provision_users.ldif - Add objects for IISMatthias Dieter Wallnöfer1-0/+21
Some WSPP locations point out that beginning with Windows Server 2008 they're also per default present. Compared against Windows Server 2008
2010-01-14s4:provision_users.ldif - Add additional BUILTIN objectsMatthias Dieter Wallnöfer1-0/+30
Compared against Windows Server 2008
2010-01-14s4:provision_users.ldif - add the restant part of the objects needing for ↵Matthias Dieter Wallnöfer1-0/+26
RODC support RODC = Read Only Domain Controllers Compared against Windows Server 2008
2010-01-14s4:provision_users.ldif - Fix up errors on existing entriesMatthias Dieter Wallnöfer1-6/+8
Compared against Windows Server 2008
2010-01-14s4:provision_users.ldif - Simple reorderingMatthias Dieter Wallnöfer1-70/+70
Sorted according the SID - easier for later enhancements.
2010-01-14s4:provision_users.ldif - Remove system objects from the wrong placeMatthias Dieter Wallnöfer1-27/+0
Objects like the "Cryptographic Operators", "Event Log Readers" don't belong here but into the builtin domain.
2009-11-17s4:provision_users.ldif - Descriptions generally begin with a majuscleMatthias Dieter Wallnöfer1-2/+2
2009-10-17s4-provision: removed the old privilege attributesAndrew Tridgell1-40/+0
Our schema is getting a bit cleaner :-)
2009-10-02s4:provision_users.ldif - Put potential primary groups in front of the fileMatthias Dieter Wallnöfer1-19/+20
(So they can be always found by the SAMLDB module)
2009-09-07s4:Foreign security principals - Fix them upMatthias Dieter Wallnöfer1-0/+29
I fixed them up to match with Windows Server 2003. I don't think that the creation of them in the provision script is needed so I put them in the "provision_users.ldif" file.
2009-09-07s4:provision - Change the "provision_users.ldif" file to support the ↵Matthias Dieter Wallnöfer1-26/+35
"samldb" changes The "provision_users.ldif" file needs some rework to pass against the changed and improved "samldb" module (see next commit).
2009-08-11s4:AD LDIFs - More refactoringMatthias Dieter Wallnöfer1-61/+0
This commit includes: - Additional static object data in SAMBA 4's AD to start supporting of - forest updates, - lost and found, - quotas on DS, - physical locations, - licensing of sites, - subnets, - policies for WMI, - DNS entries in AD - Reordering of provision*.ldif files to be able to find entries and make future additions easier - Add comments in provision*.ldif files to point out where subentries are located when they are based in other LDIFs - Removations of autogenerated "cn" attributes
2009-07-20[SAMBA 4 directory] Refactoring and clean up of directory structureMatthias Dieter Wallnöfer1-18/+8
- Adds more system objects which make sense to have them in SAMBA 4 also to have them when we add more and more services related to the directory (volume support, DFS, replication service, COM...) - Make sure that "isCriticalSystemObject" and "showInAdvancedViewOnly" attributes are set correctly on each object
2009-07-01[SAMBA 4 directory] Corrects the "systemFlags" attributesMatthias Dieter Wallnöfer1-18/+18
Set the values like Windows Server 2003 R2.
2008-09-29added some more well known SIDs - thanks to the WSPP LSAT test suiteAndrew Tridgell1-0/+60
2008-08-22now that ldap integers are 32 bit, we need to put the right 32 bitAndrew Tridgell1-19/+19
value in for group type to avoid sign extension, otherwise we don't find the builtin groups (This used to be commit 9b558639395bd8209313bb7ed2e04821c83975a4)
2008-07-12rename sambaPassword -> userPassword.Andrew Bartlett1-2/+2
This attribute is used in a very similar way (virtual attribute updating the password) in AD on Win2003, so eliminate the difference. This should not cause a problem for on-disk passwords, as by default we do not store the plaintext at all. Andrew Bartlett (This used to be commit 1cf0d751493b709ef6b2234ec8847a7499f48ab3)
2008-03-07accountExpires: Windows default is 9223372036854775807, not -1.Andrew Kroeger1-1/+1
(This used to be commit be47cc7fdfa3cae0508e564f38b793aa27b6eb92)
2008-02-28Users and computers now share the same template.Andrew Bartlett1-20/+0
Slowly work away at the samldb module again, it is clear that AD does not use much of a templating system. samAccountType is managed, as far as I can tell, when groupType or userAccountControl changes. Andrew Bartlett (This used to be commit 447d5a795441aa6beab2f057c5ac1bc3c04e08c4)
2008-01-18Remove default 'showInAdvancedViewOnly' values.Andrew Bartlett1-25/+0
This means we only show and set the values when they are not the values the schema and objectclass module would impose. Andrew Bartlett (This used to be commit c2f2e01357c1b087aa1261fb2cac8687426d5a78)
2008-01-18Don't manually specify instanceID in the template files.Andrew Bartlett1-3/+0
The instanceid module creates this automaticlly, so we don't need this any more. Andrew Bartlett (This used to be commit f6dbdf34e8a790f460b705100e45ee3928b6b1b3)
2007-12-21r25891: Test that we get the correct return value when we attempt to referenceAndrew Bartlett1-121/+121
invalid entries with a linked attribute. Make Samba4 pass that test, by fixing a silly bug in the linked_attributes module. (By passing down the 'original' request structure, tdb would override our handle, and therefore we would never be called for the 'wait', which collects the errors). Fix up the provision templates to handle the newly required referential integrity. Andrew Bartlett (This used to be commit 0377d85bbdcb2c4f110b0519005f0d1d10bc0c0b)
2007-12-21r25747: Implement linked attributes, for add operations.Andrew Bartlett1-10/+0
Much more work is still required here, particularly to handle this better during the provision, and to handle modifies and deletes, but this is a start. Andrew Bartlett (This used to be commit 2ba99d58e9fe1f8e4b15a58a2fdfce6e876f99b4)
2007-10-10r25299: Modify the provision script to take an additional argument: ↵Andrew Bartlett1-16/+0
--server-role This must be set to either 'domain controller', 'domain member' or 'standalone'. The default for the provision now changes to 'standalone'. This is not because Samba4 is particularlly useful in that mode, but because we still want a positive sign from the administrator that we should advertise as a DC. We now do more to ensure the 'standalone' and 'member server' provision output is reasonable, and try not to set odd things into the database that only belong for the DC. Andrew Bartlett (This used to be commit 4cc4ed7719aff712e735628410bd3813c7d6aa40)
2007-10-10r24760: Ensure we base64 encode any password being put into LDIF, to avoidAndrew Bartlett1-3/+3
provision failures when some of the random password values are illigal LDIF. Andrew Bartlett (This used to be commit 876003f6c6466bfd37ec9b05c9a1f1cc83dd9898)
2007-10-10r24729: First try and publishing a DNS service account, for folks to play with.Andrew Bartlett1-0/+16
The keytab in dns.keytab should (I hope) do the job. Andrew Bartlett (This used to be commit af4d331eef91ef7699d179d15e7337fff1eff7bb)
2007-10-10r24696: Fix bug 4918 reported by Matthias Wallnöfer <mwallnoefer@yahoo.de>Andrew Bartlett1-0/+237
with a patch from Andrew Kroeger <andrew@sprocks.gotdns.com>. The changes to samldb_fill_foreignSecurityPrincipal_object() look much larger then they are: We just skip all the objectSid generation if the SID is supplied. By providing a few more objects, standard dialogs on the clients are better behaved, for these 'well known' users. Andrew Bartlett (This used to be commit 35ee4aee719e69983d650602d1c6422a31600001)
2007-10-10r24694: Remove objectCategory entries from the setup templates. These can beAndrew Bartlett1-16/+0
autogenerated by the objectclass module when the the entries are added. Andrew Bartlett (This used to be commit 79e13349f00d009fc5dd0cdddade379df906ebc8)
2007-10-10r23720: Allow the member server to work against an LDAP Backend. Another caseAndrew Bartlett1-23/+0
where LDB isn't as strict as OpenLDAP, the self join record contains duplicate servicePrincipalNames once the DNS name and domain name are made equal. (Easier to just skip the useless self-join). Andrew Bartlett (This used to be commit 49ff929be6fcf57721532de13bdd7a7e1617af6f)
2007-10-10r20557: use ${DOMAINDN} instead of ${BASEDN}Stefan Metzmacher1-46/+46
metze (This used to be commit 2a6e6a2695b256411c91768c7bee748228e40e6f)
2007-10-10r20553: add ${CONFIGDN} and ${SCHEMADN} instead of using hardcoded pathsStefan Metzmacher1-16/+16
under ${BASEDN} metze (This used to be commit 09ca6aae12d8e10b76971cf269f7c62f228a4c87)
2007-10-10r17876: Require one less patch for the LDAP backend to work.Andrew Bartlett1-2/+1
This lets the modules or backend generate the host and domain GUID, rather than the randguid() function. These can still be specified from the command line. Andrew Bartlett (This used to be commit 32996ca9d62568006f8bee85a1f2f37c64c04fb5)
2007-10-10r16264: Add, but do not yet enable, the partitions module.Andrew Bartlett1-1/+1
This required changes to the rootDSE module, to allow registration of partitions. In doing so I renamed the 'register' operation to 'register_control' and 'register_partition', which changed a few more modules. Due to the behaviour of certain LDAP servers, we create the baseDN entry in two parts: Firstly, we allow the admin to export a simple LDIF file to add to their server. Then we perform a modify to add the remaining attributes. To delete all users in partitions, we must now search and delete all objects in the partition, rather than a simple search from the root. Against LDAP, this might not delete all objects, so we allow this to fail. In testing, we found that the 'Domain Controllers' container was misnamed, and should be 'CN=', rather than 'OU='. To avoid the Templates being found in default searches, they have been moved to CN=Templates from CN=Templates,${BASEDN}. Andrew Bartlett (This used to be commit b49a4fbb57f10726bd288fdc9fc95c0cbbe9094a)
2007-10-10r16166: Remove hexidecimal constants from the Samba4 provision files.Andrew Bartlett1-42/+42
This change is required for compatibility with the OSX client, in particular, but returning 0x80000002 rather than -2147483646 violates what LDAP clients expect in general. Andrew Bartlett (This used to be commit 81f3cd1c4592d2108d521acd701ed4a70a23c465)
2007-10-10r14200: Now we have real USN support, don't force the values in the provisionAndrew Bartlett1-52/+0
scripts. This tests the real module, and avoids duplication. Andrew Bartlett (This used to be commit 0859ba59ae00029177cd63366fc59efe8b19c973)
2007-10-10r13097: move the creation of the default sam name -> unix name mappings intoAndrew Tridgell1-8/+0
the main provision logic, so it can also be used as part of the vampire process (This used to be commit 95e90169f4e5887ee88116179d96f28f9e06796e)
2007-10-10r12943: Generate a SID for the domain join account using the modules, ratherAndrew Bartlett1-1/+0
than a hardcoded SID. Fix the samldb module to return the what *was* the nextrid, rather than the new nextrid (that is for next time). Andrew Bartlett (This used to be commit ffe9042e15cebbc7ff1bac90ec39835753d6caa7)
2007-10-10r12719: Rename unicodePwd -> sambaPassword.Andrew Bartlett1-3/+3
Because we don't know the syntax of unicodePwd, we want to avoid using that attribute name. It may cause problems later when we get replication form windows. I'm doing this before the tech preview, so we don't get too many supprises as folks upgrade databases into later versions. Andrew Bartlett (This used to be commit 097d9d0b7fd3b1a10fb7039f0671fd459bed2d1b)
2007-10-10r12630: Remove attributes which should be automaticly generated.Andrew Bartlett1-3/+0
This fixes a problem I had with kpasswd, as the account had 'expired' due to the old pwdLastSet, hardcoded in the ldif. Andrew Bartlett (This used to be commit 1a9992e56a777771ad963af87481ce4ffb8cbf56)
2007-10-10r12598: Make the 'objectClass' part of the templating process actually work.Andrew Bartlett1-10/+0
We need to add to the multivalued objectClass, not ignore it because the user has already specified a value. Also rename the template again. This was caught by more stringent tests in the unicodePwd module, but breaks MMC. A later commit will sort the objectClass. Andrew Bartlett (This used to be commit 0aaff059ba76c7eee86f37bfd74735c1c365d55f)
2007-10-10r11990: Set the password set time as 'now', so it isn't expired back in 2004.Andrew Bartlett1-2/+1
Andrew Bartlett (This used to be commit b3929230b210bd6f0b12f90f48767aa861fd08fa)
2007-10-10r11357: Add more standard 'servicePrincaipalName' entries to our host accountAndrew Bartlett1-0/+4
in provision. Andrew Bartlett (This used to be commit 8ed61562803f92eb110742ac45cff36c8fe8eca3)
2007-10-10r10955: finally worked out why our computer accounts were being identified ↵Andrew Tridgell1-0/+1
as users in mmc. The problem was that the samdb module was auto-adding objectClass=user for these accounts. That would be OK, as computer accounts are supposed to be in that objectClass, but mmc cares about the order of the values in the objectClass attribute! It looks for the last value, and takes that as the value to use when deciding how to manipulate the record. So, this patch adds an explicit objectClass=user to the record when it gets created, which tells the samdb module to not add it as well. That fixes the order. I suspect we are missing something else though - is objectClass supposed to auto-sort based on the schema? (This used to be commit 68c5f807fdb99fd605154d455e61a08293cbd2d0)
2007-10-10r8790: Finish the migration of aliases and privilages with SamSync, by addingAndrew Bartlett1-0/+459
templating support for foreignSecurityPrincipals to the samdb module. This is an extension beyond what microsoft does, and has been very useful :-) The setup scripts have been modified to use the new template, as has the SAMR and LSA code. Other cleanups in LSA remove the assumption that the short domain name is the first component of the realm. Also add a lot of useful debug messages, to make it clear how/why the SamSync may have gone wrong. Many of these should perhaps be hooked into an error string. Andrew Bartlett (This used to be commit 1f071b0609c5c83024db1d4a7d04334a932b8253)