summaryrefslogtreecommitdiff
path: root/source4/setup
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r15518: the 'password' option in POPT_COMMON_CREDENTIALS was conflicting withAndrew Tridgell1-4/+4
the password option in newuser. Move the local options above the global options to fix. (This used to be commit 2adcd4ff4ec1ef867b91274d994c39e7c0fdaad2)
2007-10-10r14313: Add comments describing some of the dependencies here.Andrew Bartlett1-0/+5
Andrew Bartlett (This used to be commit a79a185b6a8a0ac81a380ff6df5a11e45a19cb16)
2007-10-10r14200: Now we have real USN support, don't force the values in the provisionAndrew Bartlett3-106/+0
scripts. This tests the real module, and avoids duplication. Andrew Bartlett (This used to be commit 0859ba59ae00029177cd63366fc59efe8b19c973)
2007-10-10r13907: By ordering things this way, we allow the password_hash module to setAndrew Bartlett1-1/+1
the pwdLastSet time on new users (with passwords) correctly. Andrew Bartlett (This used to be commit e1b346b8e096130328440fa388de3474fadc7332)
2007-10-10r13369: let's have a way to show the samba4 version through ejsSimo Sorce1-0/+2
and use it in provisioning to fullfill rfc 3045 requirements (This used to be commit 3fb9571a76481560304a826fc945983d52123299)
2007-10-10r13320: Fix kpasswd's use of the local HDB. /dev/null was a bad idea, we wantAndrew Bartlett1-2/+2
'no filename' instead. Andrew Bartlett (This used to be commit 7de385dca4c40e98a40ef1e769826de8bff64323)
2007-10-10r13239: Silly little patch: make the order of declaration match the order ↵Andrew Bartlett1-1/+1
of use. (This used to be commit 2b605cf22c7567e1171bf73cbbd37a5f0c1a4274)
2007-10-10r13107: Follow the lead of Heimdal's kpasswdd and use the HDB (hdb-ldb in ourAndrew Bartlett1-4/+4
case) as the keytab. This avoids issues in replicated setups, as we will replicate the kpasswd key correctly (including from windows, which is why I care at the moment). Andrew Bartlett (This used to be commit 849500d1aa658817052423051b1f5d0b7a1db8e0)
2007-10-10r13097: move the creation of the default sam name -> unix name mappings intoAndrew Tridgell1-8/+0
the main provision logic, so it can also be used as part of the vampire process (This used to be commit 95e90169f4e5887ee88116179d96f28f9e06796e)
2007-10-10r13063: Add --realm option to upgradeJelmer Vernooij1-5/+11
(This used to be commit e6aa4e92f044712ecaa4bd7099d53d9c7d083c42)
2007-10-10r12945: Try to move closer to getting Samba3 import working again.Andrew Bartlett1-2/+3
There still a few things to work out Andrew Bartlett (This used to be commit 701558b5fe917555416eb0d100ef756f8ef7cf65)
2007-10-10r12944: Update scripts in setup to match changes in the provision.jsAndrew Bartlett2-3/+9
DNS is now done as a seperate step, to assist in migrations. Andrew Bartlett (This used to be commit 916607d1d08b6a41c375766a69fd609989e35bed)
2007-10-10r12943: Generate a SID for the domain join account using the modules, ratherAndrew Bartlett2-2/+1
than a hardcoded SID. Fix the samldb module to return the what *was* the nextrid, rather than the new nextrid (that is for next time). Andrew Bartlett (This used to be commit ffe9042e15cebbc7ff1bac90ec39835753d6caa7)
2007-10-10r12941: Add Attribute Scoped Search controlSimo Sorce1-1/+1
want to see what it does ? do aq make test and try: ./bin/ldbsearch -H st/private/sam.ldb --controls=asq:1:member -s base -b 'CN=Administrators,CN=Builtin,DC=samba,DC=example,DC=com' 'objectclass=*' have fun. simo. (This used to be commit 900f4fd3435aacc3351f30afb77d3488d2cb4804)
2007-10-10r12905: add some ldap policiesSimo Sorce1-0/+33
not yet enforced except for the initial connection timeout (This used to be commit fa1ae9a44b0321b8e458bcb7fd1dcc9475b9bad3)
2007-10-10r12762: Simo correctly asked that the policy logic (which attributes containAndrew Bartlett1-0/+9
passwords) be moved into the database, and not be hard-coded in the module source. Andrew Bartlett (This used to be commit 1fbe09ce818ac1603bd747610262865b8698fe04)
2007-10-10r12749: Fix the newuser script.Andrew Bartlett1-1/+6
Andrew Bartlett (This used to be commit 42cdad5e3f06c307baf80396fd8449b803ef84c3)
2007-10-10r12746: An initial version of the kludge_acls module.Andrew Bartlett2-3/+3
This should be replaced with real ACLs, which tridge is working on. In the meantime, the rules are very simple: - SYSTEM and Administrators can read all. - Users and anonymous cannot read passwords, can read everything else - list of 'password' attributes is hard-coded Most of the difficult work in this was fighting with the C/js interface to add a system_session() all, as it still doesn't get on with me :-) Andrew Bartlett (This used to be commit be9d0cae8989429ef47a713d8f0a82f12966fc78)
2007-10-10r12745: Initial work to support a syntax to pass over controls viaSimo Sorce1-1/+1
command line to ldbsearch. Very rough work, no checks are done on the input yet (will segfault if you make it wrong). Controls are passed via the --controls switch an are comma separated (no escaping yet). General syntax is <ctrl_name>:<criticality> <ctrl_name> is a string <criticality> is 1 or 0 Current semi-parsed controls are: server_sort syntax: server_sort:1:0:attributename 1st parm: criticality 2nd parm: reversed 3rd parm: attribute name to be used for sorting todo: still missing suport for multiple sorting attributes and ordering rule no check on result code paged_results syntax: paged_results:1:100 1st parm: criticality 2nd parm: number of results to be returned todo: ldbsearch will return only the first batch (missing code to cycle over conditionally) no check on result code extended_dn syntax: extended_dn:1:0 1st parm: criticality 2nd parm: type, see MS docs on meaning Simo. (This used to be commit 4c685ac0d1638a1d5392dfe733baf0db77e84858)
2007-10-10r12739: Add support for using credentials in the provision process.Andrew Bartlett1-1/+4
This should allow us to provision to a 'normal' LDAP server. Also add in 'session info' hooks (unused). Both of these need to be hooked in on the webserver. Andrew Bartlett (This used to be commit b349d2fbfefd0e0d4620b9e8e0c4136f900be1ae)
2007-10-10r12720: By metze's request, rename the ntPwdHistory attribute toAndrew Bartlett1-2/+2
sambaNTPassword. Likewise lmPwdHistory -> sambaLMPwdHistory. The idea here is to avoid having conflicting formats when we get to replication. We know the base data matches, but we may need to use a module to munge formats. Andrew Bartlett (This used to be commit 8e608dd4bf4f108e02274a9977ced04a0a270570)
2007-10-10r12719: Rename unicodePwd -> sambaPassword.Andrew Bartlett2-4/+4
Because we don't know the syntax of unicodePwd, we want to avoid using that attribute name. It may cause problems later when we get replication form windows. I'm doing this before the tech preview, so we don't get too many supprises as folks upgrade databases into later versions. Andrew Bartlett (This used to be commit 097d9d0b7fd3b1a10fb7039f0671fd459bed2d1b)
2007-10-10r12686: Push the real SASL list into the rootdse.Andrew Bartlett1-1/+0
Get this out of the server credentials, and push it down to ldb via an opaque pointer. Andrew Bartlett (This used to be commit 61700252e05e0be6b4ffa72ffc24a95c665597e3)
2007-10-10r12630: Remove attributes which should be automaticly generated.Andrew Bartlett1-3/+0
This fixes a problem I had with kpasswd, as the account had 'expired' due to the old pwdLastSet, hardcoded in the ldif. Andrew Bartlett (This used to be commit 1a9992e56a777771ad963af87481ce4ffb8cbf56)
2007-10-10r12625: More 'useful' names for the DNS zone.Andrew Bartlett1-0/+3
Andrew Bartlett (This used to be commit 660fc3ff4e26873710b35c8f52fe3a697764ec98)
2007-10-10r12600: Add a new module to sort the objectclass attribute on store. TheAndrew Bartlett1-1/+1
module is perhaps not the most efficient, but I think it is reasonable. This should restore operation of MMC against Samba4 (broken by the templating fixes). Andrew Bartlett (This used to be commit 41948c4bdbfca1160a01a92994324f9e22422afe)
2007-10-10r12599: This new LDB module (and associated changes) allows Samba4 to operateAndrew Bartlett1-1/+2
using pre-calculated passwords for all kerberos key types. (Previously we could only use these for the NT# type). The module handles all of the hash/string2key tasks for all parts of Samba, which was previously in the rpc_server/samr/samr_password.c code. We also update the msDS-KeyVersionNumber, and the password history. This new module can be called at provision time, which ensures we start with a database that is consistent in this respect. By ensuring that the krb5key attribute is the only one we need to retrieve, this also simplifies the run-time KDC logic. (Each value of the multi-valued attribute is encoded as a 'Key' in ASN.1, using the definition from Heimdal's HDB. This simplfies the KDC code.). It is hoped that this will speed up the KDC enough that it can again operate under valgrind. (This used to be commit e9022743210b59f19f370d772e532e0f08bfebd9)
2007-10-10r12598: Make the 'objectClass' part of the templating process actually work.Andrew Bartlett2-12/+4
We need to add to the multivalued objectClass, not ignore it because the user has already specified a value. Also rename the template again. This was caught by more stringent tests in the unicodePwd module, but breaks MMC. A later commit will sort the objectClass. Andrew Bartlett (This used to be commit 0aaff059ba76c7eee86f37bfd74735c1c365d55f)
2007-10-10r12536: kerberos is on port 88, not port 389Andrew Tridgell1-1/+1
i guess this shows that MS clients ignore the port number in SRV replies (This used to be commit ce070ef50f3aca6f911f6f51688d7cd9fc17ff67)
2007-10-10r12427: Move SAMR CreateUser2 to transactions, and re-add support forAndrew Bartlett1-22/+2
different computer account types. (Earlier code changes removed the BDC case). We don't use the TemplateDomainController, so just have a TemplateServer in provision_templates.ldif Andrew Bartlett (This used to be commit c4520ba2e6fad42a137983a2e1dbcd9c26db74e9)
2007-10-10r12384: I can't spell...Andrew Bartlett1-1/+1
(This used to be commit 566bbfd067f43d86eacc1e867e6f64bac85e285d)
2007-10-10r12383: Fixes for Apple's AD client. Don't segfualt in the KDC, and theyAndrew Bartlett1-0/+1
require the isSynchronized flag in the rootDSE. Andrew Bartlett (This used to be commit e48464c8844b4af1976d8379aef8db9baddd3687)
2007-10-10r11995: A big kerberos-related update.Andrew Bartlett1-0/+4
This merges Samba4 up to current lorikeet-heimdal, which includes a replacement for some Samba-specific hacks. In particular, the credentials system now supplies GSS client and server credentials. These are imported into GSS with gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY keytab, so we now create a FILE based keytab as provision and join time. Because the keytab is now created in advance, we don't spend .4s at negprot doing sha1 s2k calls. Also, because the keytab is read in real time, any change in the server key will be correctly picked up by the the krb5 code. To mark entries in the secrets which should be exported to a keytab, there is a new kerberosSecret objectClass. The new routine cli_credentials_update_all_keytabs() searches for these, and updates the keytabs. This is called in the provision.js via the ejs wrapper credentials_update_all_keytabs(). We can now (in theory) use a system-provided /etc/krb5.keytab, if krb5Keytab: FILE:/etc/krb5.keytab is added to the secrets.ldb record. By default the attribute privateKeytab: secrets.keytab is set, pointing to allow the whole private directory to be moved without breaking the internal links. (This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
2007-10-10r11990: Set the password set time as 'now', so it isn't expired back in 2004.Andrew Bartlett1-2/+1
Andrew Bartlett (This used to be commit b3929230b210bd6f0b12f90f48767aa861fd08fa)
2007-10-10r11956: removed the old rootdse.ldif, and the provision.js code that uses itAndrew Tridgell1-32/+0
(This used to be commit 4b56c129c6f1654f9dbe37bc950a836f15c48b3d)
2007-10-10r11954: add the static rootdse content to the sam ldb,and enable the rootdseAndrew Tridgell1-1/+21
module in @MODULES (This used to be commit cfab88fcc2c740a6d3fd456a009fbb60061b3a53)
2007-10-10r11499: added a minimal set of display specifiers for mmc to use to displayAndrew Tridgell1-0/+108
the core elements of a Samba4 domain (This used to be commit bee45531eaa1f7b96f123c146af3bc30681ebdec)
2007-10-10r11496: add a minimal ads-compatible schema into our sam.ldb setup. This isAndrew Tridgell2-0/+8507
needed for mmc management of Samba4. (This used to be commit cbbce4fe403efc0b9e63052c2aa1fbb5972f2abe)
2007-10-10r11357: Add more standard 'servicePrincaipalName' entries to our host accountAndrew Bartlett1-0/+4
in provision. Andrew Bartlett (This used to be commit 8ed61562803f92eb110742ac45cff36c8fe8eca3)
2007-10-10r11239: Use ${REALM} for the realm in rootdse.ldifAndrew Bartlett1-1/+1
Add the kpasswd server to our KDC, implementing the 'original' and Microsoft versions of the protocol. This works with the Heimdal kpasswd client, but not with MIT, I think due to ordering issues. It may not be worth the pain to have this code go via GENSEC, as it is very, very tied to krb5. This gets us one step closer to joins from Apple, Samba3 and other similar implementations. Andrew Bartlett (This used to be commit ab5dbbe10a162286aa6694c7e08de43b48e34cdb)
2007-10-10r11222: Small provision fixes: canonicalName is now generated, and the DC=Andrew Bartlett1-1/+0
list should be from the dnsdomain (ie lowercae). Andrew Bartlett (This used to be commit 10d692a1c216134b301b5851ce1e71ed93cc6164)
2007-10-10r11218: Always return the mutual authentication reply (needed for kpasswd),Andrew Bartlett1-0/+1
and remove now duplicated unwrap_pac(). Andrew Bartlett (This used to be commit 90642d54e02e09edc96b9498e66befda20dbb68d)
2007-10-10r11208: Add DNS entries for finding the kpasswd server to the default zone.Andrew Bartlett1-0/+7
Andrew Bartlett (This used to be commit 7e01ff11fdcd70b54e30b438076bf1293638c61e)
2007-10-10r11200: Reposition the creation of the kerberos keytab for GSSAPI and Krb5Andrew Bartlett1-0/+13
authentication. This pulls the creating of the keytab back to the credentials code, and removes the special case of 'use keberos keytab = yes' for now. This allows (and requires) the callers to specify the credentials for the server credentails to GENSEC. This allows kpasswdd (soon to be added) to use a different set of kerberos credentials. The 'use kerberos keytab' code will be moved into the credentials layer, as the layers below now expect a keytab. We also now allow for the old secret to be stored into the credentials, allowing service password changes. Andrew Bartlett (This used to be commit 205f77c579ac8680c85f713a76de5767189c627b)
2007-10-10r11113: fixed two small bugs in newuserAndrew Tridgell1-1/+2
- randpass() is now in the random ejs module, not global - don't dereference the undefined variable on getopt failure (This used to be commit 7e338c23f5ac351b362a9e07fd81ec07bc700484)
2007-10-10r11087: - add type,name,scope as attributes to winsRecords,Stefan Metzmacher1-1/+1
so you can use them in search filters, only for administration not used inside the winserver code - fix the samba3 ugrade scripts to create a correct samba4 wins.ldb metze (This used to be commit 9f3b6746d86583c48097da48c28f50f075bbd3e3)
2007-10-10r10955: finally worked out why our computer accounts were being identified ↵Andrew Tridgell1-0/+1
as users in mmc. The problem was that the samdb module was auto-adding objectClass=user for these accounts. That would be OK, as computer accounts are supposed to be in that objectClass, but mmc cares about the order of the values in the objectClass attribute! It looks for the last value, and takes that as the value to use when deciding how to manipulate the record. So, this patch adds an explicit objectClass=user to the record when it gets created, which tells the samdb module to not add it as well. That fixes the order. I suspect we are missing something else though - is objectClass supposed to auto-sort based on the schema? (This used to be commit 68c5f807fdb99fd605154d455e61a08293cbd2d0)
2007-10-10r10916: - finished the 'operational' ldb moduleAndrew Tridgell3-3/+3
- removed the timestamps module, replacing it with the operational module - added a ldb_msg_copy_shallow() function which should be used when a module wants to add new elements to a message on add/modify. This is needed because the caller might be using a constant structure, or may want to re-use the structure again - enabled the UTC time attribute syntaxes in the operational module (This used to be commit 61e8b010223ac6a0573185008f3719ba29574688)
2007-10-10r10855: Put the domain SID in secrets.ldb by default, and add http as aAndrew Bartlett2-1/+2
default SPN alias. Andrew Bartlett (This used to be commit e4fe5802dae544f4dabf0c6d04a55be1144d8820)
2007-10-10r10314: Apply the controvertial 'server role =' patch after discussion on ↵Andrew Bartlett1-2/+2
the list: This patch removes the 'domain logon' and 'domain master' controls from Samba4, in favour of a 'server role =' that users can actually understand. We can expand the list of roles as needed, and nobody has to figure out what a 'domain master' actually means. Andrew Bartlett (This used to be commit 31e755c2ced64dbd2681d5f6ef021a87dbeda689)