| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Necessary for correct descriptor inheritance. Based on the default state
of a single DC. Will be modified later when we support multiple DCs.
|
|
Rather than treat the LDAP backend as a special case, treat all
backends the same, with different callbacks.
Andrew Bartlett
|
|
|
|
|
|
|
|
While this does not matter very much, others may later expect 'cn' to be case
insensitive.
Andrew Bartlett
|
|
- Cleans it up from unnecessary "lower()/upper()" and parameters which can be
derived through "lp" calls.
- Substitute the "HOSTNAME" caption in the "smb.conf" templates with
"NETBIOS_NAME" which fits better.
- Now the "realm" and "domain" parameter of the provision are totally case
insensitive and the script itself up/downcases them appropriately depending
on the use (e.g. "realm" upcase for KERBEROS, lowcase for DNS domainname).
|
|
|
|
This allows a blackbox test to confirm this can be set.
Andrew Bartlett
|
|
The new partitions code knows to copy these items in when creating a
new parition, so we can set it from the start.
Andrew Bartlett
|
|
This is done by passing an extended operation to the partitions module
to extend the @PARTITION record and to extend the in-memory list of
partitions.
This also splits things up into module parts that belong above and below
repl_meta_data
Also slit the partitions module into two files due to the complexity
of the code
Andrew Barltett
|
|
|
|
The last attribute this contained was 'privilege' which is now gone
|
|
privileges are now stored in a separate database
|
|
Our schema is getting a bit cleaner :-)
|
|
When FDS is used as a backend, Samba should not use the
linked_attributes LDB module, but instead use the built-in
DS plugins for attribute linking, indexing, and referential
integrity.
|
|
This was a bad idea all along, as Simo said at the time. With the
full MS schema and enforcement of it, it is an even worse idea.
This fixes the provision of the member server in 'make test'
Andrew Bartlett
|
|
We are now defaulting to win2003 functional level, and see to report
the right revisions of our db and schema
|
|
(So they can be always found by the SAMLDB module)
|
|
The instanceType needs to be specified in future because that's how
the partitions are actually created.
|
|
Give the possibility to specify controls when loading ldif files.
Relax control is specified by default for all ldb_add_diff (request Andrew B).
Set domainguid if specified at the creation of object instead of modifying afterward
Allow to specify objectGUID for NTDS object of the first DC this option is used during provision upgrade.
|
|
Windows 2003 Native
|
|
- Improve the error handling according to Jelmer's suggestions
- Print out the error messages on "stderr"
- Add also here the "choice" type for arguments
|
|
function levels
Adds a parameter "--function-level" which allows to specify the domain and
forest function level.
|
|
When adding a W2K8 DC to a domain running earlier DC versions, the "adprep"
utility is used to perform schema updates and update other attributes as
necessary.
Adding these entries provides an indication that the adprep utility has been run
with the /forestprep, /domainprep and /rodcprep arguments. Although these
entries indicate adprep has been run, nothing has been done to verify that the
changes that the adprep utility would have made have actually been done.
The values used for the revision atttributes are as seen on a W2K8 DC (not
W2K8 R2, which will probably have higher values).
|
|
We are running the W2K8 schema version, not the W2K3 version.
|
|
- We support domain/forest function levels >= (Windows) 2003 Native -> adapt the
domain/forest and DC function level restrictions.
- Consider also the lowest function level of a DC. The domain and forest function
levels can never be higher than it.
- Improve the error handling by printing out messages to "stderr"
- Introduce the "choice" type for choice arguments (saves us some error handling)
|
|
|
|
|
|
|
|
I removed it since on some scripts it was present, on others not - so I thought
it wouldn't be really needed. This was a bad decision (pointed out by abartlet).
So I reintroduce it on all scripts (to have consistent parameters).
|
|
|
|
|
|
TODO's:
ACE sorting and clarifying the inheritance of object specific ace's.
|
|
|
|
The second "nTMixedDomain" attribute (under Partitions/Domain-DN) is only a
copy of the one under the directory root object. Therefore there doesn't exist
the "Windows 2000 Mixed" forest level.
|
|
I reread some docs about this attributes and it seems that this as mapping
attribute isn't host specific but in common for the whole domain. To allow
Windows DCs to join our s4 domain sooner or later we have to provide the full
attribute.
|
|
- The tool displays now also mixed/interim domain levels and warns about them
(s4 isn't capable to run on them)
- But it allows now also to raise/step-up from them
- It displays now also levels higher than 2008 R2 (altough we don't support them
yet) but to be able to get a correct output
|
|
I had to think about how to encode the string 0x0001 (taken from Windows Server).
The problem is due to the "0" byte at the beginning of it. BASE64 encoding
seems a good method to do it.
|
|
|
|
Accidentally removed by a previous commit.
|
|
- I removed also the "-H" parameter since those scripts are all thought for the
use on a local s4 domain controller. Another reason is also the bind as SYSTEM
account which itself is only possible on local binds.
|
|
- This unified the shape of those four scripts (comments, command sequence, call
of SamDB)
- To consider the samdb.py changes regarding the filter: there is now always the
possibility either to specify the username or the search filter
|
|
|
|
|
|
This simple script allows raising the domain and/or forest level for s4.
I integrated also the basic checks (since we don't perform them in LDB yet):
e.g. the forest level can't be higher than the domain level(s).
|
|
|
|
- The DC level we keep on Windows Server 2008 R2 (we should call ourself
always the newest server type)
- The domain/forest level we set to the minimum (Windows 2000 native) to
allow all AD DC types (from Windows 2000 on) in our domain - the NT4 "mixed"
mode isn't supported by us (discussed on mailing list) -> "nTMixedDomain" is
set always to 0
- I'll add a script which allows to bump the DC level (basically sets the
"msDS-Behaviour-Version" attributes on the "Partitions/Configuration/DC" and
on the "DC" object)
|
|
- Fix up "servicePrincipalNames" attributes on the DC object
- Add some informative comments (most in "provision_self_join.ldif")
- Add also comments where objects are missing which we may add later when we
support the feature (mainly for FRS)
- Add "domain updates" objects also under "CN=Configuration" (they exist twice)
- Add the default services under "Services" to allow interoperability with some
MS client tools
- Smaller changes
|
|
- Add/change "wellKnownObjects" attributes
- Order entries in "provision_basedn_modify.ldif"
- Add/change "delete entries" object under BASEDN and CONFIGDN
- Fix default version number of "Default domain policy" group policy
- Add "domain updates" objects for interoperability with MS AD maintaining tools
- Show version number in the "oEMInformation" attribute (suggested by ekacnet)
- Smaller fixups
|
