Age | Commit message (Collapse) | Author | Files | Lines |
|
main database, under cn=templates).
Andrew Bartlett
(This used to be commit b1d061d36a4e8715576dc8cb1c4216c111d09035)
|
|
This module redirects various samdb requests into different modules,
depending on the prefix. It also makes moving to an LDAP backend
easier, as it is just a different partition backend.
This adds yet another stage to the provision process, as we must setup
the partitions before we setup the magic attributes.
Andrew Bartlett
(This used to be commit 31225b9cb6ef6fcb7bd831043999b1b44ef1b128)
|
|
Actually you can't test both classic and ldb together, but you can replace the standard
script/tests/mktestsetup.sh file with this one and run make test to see share_ldb in action
(This used to be commit d4c2b893504feb3a232e74d14584405b3aaaf942)
|
|
real smbpasswd command some day.
Andrew Bartlett
(This used to be commit 8d0582796608b757fde776e69ea5d70b2b13eb36)
|
|
This required changes to the rootDSE module, to allow registration of
partitions. In doing so I renamed the 'register' operation to
'register_control' and 'register_partition', which changed a few more
modules.
Due to the behaviour of certain LDAP servers, we create the baseDN
entry in two parts: Firstly, we allow the admin to export a simple
LDIF file to add to their server. Then we perform a modify to add the
remaining attributes.
To delete all users in partitions, we must now search and delete all
objects in the partition, rather than a simple search from the root.
Against LDAP, this might not delete all objects, so we allow this to
fail.
In testing, we found that the 'Domain Controllers' container was
misnamed, and should be 'CN=', rather than 'OU='.
To avoid the Templates being found in default searches, they have been
moved to CN=Templates from CN=Templates,${BASEDN}.
Andrew Bartlett
(This used to be commit b49a4fbb57f10726bd288fdc9fc95c0cbbe9094a)
|
|
This change is required for compatibility with the OSX client, in
particular, but returning 0x80000002 rather than -2147483646 violates
what LDAP clients expect in general.
Andrew Bartlett
(This used to be commit 81f3cd1c4592d2108d521acd701ed4a70a23c465)
|
|
Andrew Bartlett
(This used to be commit 954785db03455daf2ff9b2828e31cb7efffe4f11)
|
|
Add a test to show that we need this, and to prove it works (for add
at least).
Andrew Bartlett
(This used to be commit f72079029abb594677bf8c2b63e40c07e910004f)
|
|
This means that some modules have been disabled as well as they
have not been ported to the async interface
One of them is the ugly objectclass module.
I hope that the change in samldb module will make the MMC happy
without the need of this crappy module, we need proper handling
in a decent schema module.
proxy and ldb_map have also been disabled
ldb_sqlite3 need to be ported as well (currenlty just broken).
(This used to be commit 51083de795bdcbf649de926e86969adc20239b6d)
|
|
It passess all my tests, but I still need to work on a lot of stuff.
Shouldn't impact anybody else work, so I want to commit now and see what happens
Will work to remove the old code from modules and backends soon, and make some
more restyling in ldb internals.
So, if there is something you don't like in this desgin please speak now.
Simo.
(This used to be commit 8b2a563e716a789ea77cbfbf2f372724de5361ce)
|
|
the password option in newuser. Move the local options above the
global options to fix.
(This used to be commit 2adcd4ff4ec1ef867b91274d994c39e7c0fdaad2)
|
|
Andrew Bartlett
(This used to be commit a79a185b6a8a0ac81a380ff6df5a11e45a19cb16)
|
|
scripts.
This tests the real module, and avoids duplication.
Andrew Bartlett
(This used to be commit 0859ba59ae00029177cd63366fc59efe8b19c973)
|
|
the pwdLastSet time on new users (with passwords) correctly.
Andrew Bartlett
(This used to be commit e1b346b8e096130328440fa388de3474fadc7332)
|
|
and use it in provisioning to fullfill rfc 3045 requirements
(This used to be commit 3fb9571a76481560304a826fc945983d52123299)
|
|
'no filename' instead.
Andrew Bartlett
(This used to be commit 7de385dca4c40e98a40ef1e769826de8bff64323)
|
|
of use.
(This used to be commit 2b605cf22c7567e1171bf73cbbd37a5f0c1a4274)
|
|
case) as the keytab.
This avoids issues in replicated setups, as we will replicate the
kpasswd key correctly (including from windows, which is why I care at
the moment).
Andrew Bartlett
(This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
|
|
the main provision logic, so it can also be used as part of the
vampire process
(This used to be commit 95e90169f4e5887ee88116179d96f28f9e06796e)
|
|
(This used to be commit e6aa4e92f044712ecaa4bd7099d53d9c7d083c42)
|
|
There still a few things to work out
Andrew Bartlett
(This used to be commit 701558b5fe917555416eb0d100ef756f8ef7cf65)
|
|
DNS is now done as a seperate step, to assist in migrations.
Andrew Bartlett
(This used to be commit 916607d1d08b6a41c375766a69fd609989e35bed)
|
|
than a hardcoded SID.
Fix the samldb module to return the what *was* the nextrid, rather
than the new nextrid (that is for next time).
Andrew Bartlett
(This used to be commit ffe9042e15cebbc7ff1bac90ec39835753d6caa7)
|
|
want to see what it does ?
do aq make test and try:
./bin/ldbsearch -H st/private/sam.ldb --controls=asq:1:member -s base -b 'CN=Administrators,CN=Builtin,DC=samba,DC=example,DC=com' 'objectclass=*'
have fun.
simo.
(This used to be commit 900f4fd3435aacc3351f30afb77d3488d2cb4804)
|
|
not yet enforced except for the initial connection timeout
(This used to be commit fa1ae9a44b0321b8e458bcb7fd1dcc9475b9bad3)
|
|
passwords) be moved into the database, and not be hard-coded in the
module source.
Andrew Bartlett
(This used to be commit 1fbe09ce818ac1603bd747610262865b8698fe04)
|
|
Andrew Bartlett
(This used to be commit 42cdad5e3f06c307baf80396fd8449b803ef84c3)
|
|
This should be replaced with real ACLs, which tridge is working on.
In the meantime, the rules are very simple:
- SYSTEM and Administrators can read all.
- Users and anonymous cannot read passwords, can read everything else
- list of 'password' attributes is hard-coded
Most of the difficult work in this was fighting with the C/js
interface to add a system_session() all, as it still doesn't get on
with me :-)
Andrew Bartlett
(This used to be commit be9d0cae8989429ef47a713d8f0a82f12966fc78)
|
|
command line to ldbsearch. Very rough work, no checks are
done on the input yet (will segfault if you make it wrong).
Controls are passed via the --controls switch an are comma
separated (no escaping yet).
General syntax is <ctrl_name>:<criticality>
<ctrl_name> is a string
<criticality> is 1 or 0
Current semi-parsed controls are:
server_sort
syntax: server_sort:1:0:attributename
1st parm: criticality
2nd parm: reversed
3rd parm: attribute name to be used for sorting
todo: still missing suport for multiple sorting
attributes and ordering rule
no check on result code
paged_results
syntax: paged_results:1:100
1st parm: criticality
2nd parm: number of results to be returned
todo: ldbsearch will return only the first batch
(missing code to cycle over conditionally)
no check on result code
extended_dn
syntax: extended_dn:1:0
1st parm: criticality
2nd parm: type, see MS docs on meaning
Simo.
(This used to be commit 4c685ac0d1638a1d5392dfe733baf0db77e84858)
|
|
This should allow us to provision to a 'normal' LDAP server.
Also add in 'session info' hooks (unused). Both of these need to be
hooked in on the webserver.
Andrew Bartlett
(This used to be commit b349d2fbfefd0e0d4620b9e8e0c4136f900be1ae)
|
|
sambaNTPassword. Likewise lmPwdHistory -> sambaLMPwdHistory.
The idea here is to avoid having conflicting formats when we get to
replication. We know the base data matches, but we may need to use a
module to munge formats.
Andrew Bartlett
(This used to be commit 8e608dd4bf4f108e02274a9977ced04a0a270570)
|
|
Because we don't know the syntax of unicodePwd, we want to avoid using
that attribute name. It may cause problems later when we get
replication form windows.
I'm doing this before the tech preview, so we don't get too many
supprises as folks upgrade databases into later versions.
Andrew Bartlett
(This used to be commit 097d9d0b7fd3b1a10fb7039f0671fd459bed2d1b)
|
|
Get this out of the server credentials, and push it down to ldb via an
opaque pointer.
Andrew Bartlett
(This used to be commit 61700252e05e0be6b4ffa72ffc24a95c665597e3)
|
|
This fixes a problem I had with kpasswd, as the account had 'expired'
due to the old pwdLastSet, hardcoded in the ldif.
Andrew Bartlett
(This used to be commit 1a9992e56a777771ad963af87481ce4ffb8cbf56)
|
|
Andrew Bartlett
(This used to be commit 660fc3ff4e26873710b35c8f52fe3a697764ec98)
|
|
module is perhaps not the most efficient, but I think it is
reasonable.
This should restore operation of MMC against Samba4 (broken by the
templating fixes).
Andrew Bartlett
(This used to be commit 41948c4bdbfca1160a01a92994324f9e22422afe)
|
|
using pre-calculated passwords for all kerberos key types.
(Previously we could only use these for the NT# type).
The module handles all of the hash/string2key tasks for all parts of
Samba, which was previously in the rpc_server/samr/samr_password.c
code. We also update the msDS-KeyVersionNumber, and the password
history. This new module can be called at provision time, which
ensures we start with a database that is consistent in this respect.
By ensuring that the krb5key attribute is the only one we need to
retrieve, this also simplifies the run-time KDC logic. (Each value of
the multi-valued attribute is encoded as a 'Key' in ASN.1, using the
definition from Heimdal's HDB. This simplfies the KDC code.).
It is hoped that this will speed up the KDC enough that it can again
operate under valgrind.
(This used to be commit e9022743210b59f19f370d772e532e0f08bfebd9)
|
|
We need to add to the multivalued objectClass, not ignore it because
the user has already specified a value.
Also rename the template again.
This was caught by more stringent tests in the unicodePwd module, but
breaks MMC. A later commit will sort the objectClass.
Andrew Bartlett
(This used to be commit 0aaff059ba76c7eee86f37bfd74735c1c365d55f)
|
|
i guess this shows that MS clients ignore the port number in SRV replies
(This used to be commit ce070ef50f3aca6f911f6f51688d7cd9fc17ff67)
|
|
different computer account types. (Earlier code changes removed the
BDC case).
We don't use the TemplateDomainController, so just have a
TemplateServer in provision_templates.ldif
Andrew Bartlett
(This used to be commit c4520ba2e6fad42a137983a2e1dbcd9c26db74e9)
|
|
(This used to be commit 566bbfd067f43d86eacc1e867e6f64bac85e285d)
|
|
require the isSynchronized flag in the rootDSE.
Andrew Bartlett
(This used to be commit e48464c8844b4af1976d8379aef8db9baddd3687)
|
|
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
|
|
Andrew Bartlett
(This used to be commit b3929230b210bd6f0b12f90f48767aa861fd08fa)
|
|
(This used to be commit 4b56c129c6f1654f9dbe37bc950a836f15c48b3d)
|
|
module in @MODULES
(This used to be commit cfab88fcc2c740a6d3fd456a009fbb60061b3a53)
|
|
the core elements of a Samba4 domain
(This used to be commit bee45531eaa1f7b96f123c146af3bc30681ebdec)
|
|
needed for mmc management of Samba4.
(This used to be commit cbbce4fe403efc0b9e63052c2aa1fbb5972f2abe)
|
|
in provision.
Andrew Bartlett
(This used to be commit 8ed61562803f92eb110742ac45cff36c8fe8eca3)
|
|
Add the kpasswd server to our KDC, implementing the 'original' and
Microsoft versions of the protocol.
This works with the Heimdal kpasswd client, but not with MIT, I think
due to ordering issues. It may not be worth the pain to have this
code go via GENSEC, as it is very, very tied to krb5.
This gets us one step closer to joins from Apple, Samba3 and other
similar implementations.
Andrew Bartlett
(This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
|