Age | Commit message (Collapse) | Author | Files | Lines |
|
Rename it to "DSDB_CONTROL_PASSWORD_CHANGE_OID". This control will afterwards
contain a record with the specified old password as NT and/or LM hash.
|
|
This control is designed to allow replmetadata to be specified
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
When importing users from Samba3 we need to control all values.
metze
|
|
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
|
|
This control will allow the linked_attributes module to know if
repl_meta_data has already handled the creation of forward and back
links.
Andrew Bartlett
|
|
The password hash module controls overlapped others. Sorry, but the
"schema_samba4.ldif" hasn't been kept up-to-date.
|
|
- Add a new control for getting status informations (domain informations,
password change status) directly from the module
- Add a new control for allowing direct hash changes
- Introduce an addtional control "change_old password checked" for the password
|
|
allocated
metze
|
|
Signed-off-by: Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>
|
|
This will be called by getncchanges when a client asks for a
DRSUAPI_EXOP_FSMO_RID_ALLOC operation
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
- reserve a new Samba OID for recalculate SD control
- fix the update SD function
- fix handling of kvno in the update_machine_account_password function
- fix handling of handles in RPC winreg server
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This is done by passing an extended operation to the partitions module
to extend the @PARTITION record and to extend the in-memory list of
partitions.
This also splits things up into module parts that belong above and below
repl_meta_data
Also slit the partitions module into two files due to the complexity
of the code
Andrew Barltett
|
|
The last attribute this contained was 'privilege' which is now gone
|
|
Our schema is getting a bit cleaner :-)
|
|
This was a bad idea all along, as Simo said at the time. With the
full MS schema and enforcement of it, it is an even worse idea.
This fixes the provision of the member server in 'make test'
Andrew Bartlett
|
|
1. During instance creation the provisioning script will import the SASL
mapping for samba-admin. It's done here due to missing config schema
preventing adding the mapping via ldapi.
2. After that it will use ldif2db to import the cn=samba-admin user as
the target of SASL mapping.
3. Then it will start FDS and continue to do provisioning using the
Directory Manager with simple bind.
4. The SASL credentials will be stored in secrets.ldb, so when Samba
server runs later it will use the SASL credentials.
5. After the provisioning is done (just before stopping the slapd)
it will use the DM over direct ldapi to delete the default SASL
mappings included automatically by FDS, leaving just the new
samba-admin mapping.
6. Also before stopping slapd it will use the DM over direct ldapi to
set the ACL on the root entries of the user, configuration, and
schema partitions. The ACL will give samba-admin the full access
to these partitions.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
We need to find a better way to apply this (used in the Fedora DS LDAP
backend), not by trying to tunnel this down the module stack.
Andrew Bartlett
|
|
(We recently made the ms_schema.py script also add this attribute)
|
|
- Adds more system objects which make sense to have them in SAMBA 4 also to
have them when we add more and more services related to the directory (volume
support, DFS, replication service, COM...)
- Make sure that "isCriticalSystemObject" and "showInAdvancedViewOnly" attributes
are set correctly on each object
|
|
|
|
This is required to get provision against OpenLDAP working again
|
|
We need to avoid handling DN+Binary and DN+String with the refint
module for now, as this is a currently unsupported syntax.
Also rename entryTTL to avoid a conflict with the operational
attribute of the same name.
Andrew Bartlett
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
it should always have been. Make it also async so that it is not a special case.
|
|
We need to make sure replicated updates are handled differently
in some situations, e.g. we should bypass the schema checks.
metze
|
|
This is an odd place for an OID registry - we perhaps need a central
wiki page.
Andrew Bartlett
(This used to be commit 1c909973977ae117703c1ccf7589acc4625e76e5)
|
|
This attribute is used in a very similar way (virtual attribute
updating the password) in AD on Win2003, so eliminate the difference.
This should not cause a problem for on-disk passwords, as by default
we do not store the plaintext at all.
Andrew Bartlett
(This used to be commit 1cf0d751493b709ef6b2234ec8847a7499f48ab3)
|
|
Instead of extensibleObject, we use the new (more correct) ad2oLschema
tool, and a new objectClass called 'samba4Top', which we add and
remove in the same way we did extensibleObject.
Andrew Bartlett
(This used to be commit 5ab20aa8b43415751f77602fff3a3008bf2186db)
|
|
This reworks quite a few parts of our provision system to use
CN=NETBIOSNAME as the domain for member servers.
This makes it clear that these domains are not in the DNS structure,
while complying with our own schema (found by OpenLDAP's schema
validation).
Andrew Bartlett
(This used to be commit bda6a38b055fed2394e65cdc0b308a1442116402)
|
|
Recent changes to Samba4 have made the Fedora DS backend fail. This
is a start on fixing that.
Andrew Bartlett
(This used to be commit 48dc07902ffb792532ff216e507e53103d448b7b)
|
|
samdb before we start writing entries into it.
In doing so, I realised we still used 'dnsDomain', which is not part
of the standard schema (now removed).
We also set the 'wrong' side of the linked attributes for the
masteredBy on each partition - this is now set in provision_self_join
and backlinks via the linked attributes code.
When we have the schema loaded, we must also have a valid domain SID
loaded, so that the objectclass module works. This required some ejs
glue.
Andrew Bartlett
(This used to be commit b0de08916e8cb59ce6a2ea94bbc9ac0679830ac1)
|
|
Andrew Bartlett
(This used to be commit ef9320ae5b0b01bd39b60c22ff4e3698ac0ae9a7)
|
|
OpenLDAP is fussy about operational attributes in user-supplied
schema.
Andrew Bartlett
(This used to be commit d7cd4b768a7f56ced8ed94b9a63d01865ba7d10a)
|
|
partitions onto the target LDAP server.
Make the LDAP provision run before smbd starts, then stop the LDAP
server. This ensures this occurs synchronously, We then restart it
for the 'real run' (with slapd's stdin being the FIFO).
This required fixing a few things in the provision scripts, with more
containers being created via a add/modify pair.
Andrew Bartlett
(This used to be commit 860dfa4ea1ab2b62d4d4fe0644e0a9b882fdafa1)
|
|
are not used anymore
metze
(This used to be commit 9e91bd64492c45ee333f5e797d4d492378600356)
|
|
an oid for the
control
metze
(This used to be commit 684eee52e8812f6d104d8706ab059643ff4faa46)
|
|
because we now use DSDB_EXTENDED_REPLICATED_OBJECTS_OID extended operation
metze
(This used to be commit 4380cc9ed6ac2e6c133b5a36f922b341474a8e7e)
|
|
- allocate an OID for DSDB_EXTENDED_REPLICATED_OBJECTS_OID which
will replace the DSDB_CONTROL_REPLICATED_OBJECT_OID soon
metze
(This used to be commit 6397f014482172573facd3d87d1f9eec1b320ac5)
|
|
- allocate an OID for LDB Control that hold meta data when applying
replicated objects
metze
(This used to be commit 2660c5ab211f353324452694b4bd5fd8bd17745b)
|
|
under ${BASEDN}
metze
(This used to be commit 09ca6aae12d8e10b76971cf269f7c62f228a4c87)
|
|
Andrew Bartlett
(This used to be commit ac5abff4b66619c29357adb7e013700bdf686709)
|
|
Andrew Bartlett
(This used to be commit 0ceffb52eb218cd2beff0054679a07f137f0f23a)
|
|
(This used to be commit aca800bdcc5f402c1fc241e9e9c495933c85b715)
|
|
(This used to be commit 425fda84e2a4636c87b30df9df3f2c998202c933)
|
|
OIDs and skip built-in attributes.
Andrew Bartlett
(This used to be commit cb2b9d800d1228d41f7872a7b7c8ea5f07816c61)
|
|
This causes things to operate as just one transaction (locally), and
to make a minimum of TCP connections when connecting to a remote LDAP
server.
Taking advantage of this, create another file to handle loading the
Samba4 specific schema extensions. Also comment out 'middleName' and
reassign the OID to one in the Samba4 range, as it is 'stolen' from a
netscape range that is used in OpenLDAP and interenet standards for
'ref'.
Andrew Bartlett
(This used to be commit 009d0905947dec9bab81d8e6de5cb424807ffd35)
|