| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
When a DsAddEntry is used to create a nTDSDSA object we need to also
create the SPNs for the NTDS GUID in the servers machine account.
|
|
The DNS entries and SPNs are needed for samba<->samba DRS
replication. This patch adds them for a standalone DC configure. A
separate patch will add them for the vampire configure
|
|
Right now parentGUID is a normal attribute in s4, but it should be
generated, which means we need to ask for it in a search if we want to
use it.
|
|
When tracking down complex connection problems its useful knowing what
name lookups failed.
|
|
|
|
After this change, when a test fails, it gives
reasonable failure message.
|
|
The macro actually wraps common code pattern used in
almost every test for DRSUAPI interface
|
|
NOTE: Not every place where printf is used is replaced by
torture_comment. Future work shall "missed" printfs also.
|
|
This fixes the issue with the original files that they didn't have a
leading # in front of the comments, which caused our parsing scripts
much pain. The files are now exactly as delivered.
Andrew Bartlett
|
|
As found when running "make test" with the MALLOC_CHECK_ and MALLOC_PERTURB_
environment variables set.
|
|
DsCrackNamesPrivate structure basically inherits DsPrivate
structure while adding few test-specific members.
|
|
|
|
DRSUAPI_DS_NAME_FORMAT_UKNOWN added to 'known-to-fail'
responses as this actually means to ask AD to resolve
a name from FQDN format to Unknown format.
|
|
|
|
The added tests include basic validation that the script runs and accepts all
custom arguments. The tests also verify changes to the password complexity,
minimum password length, and minimum password length settings.
|
|
|
|
|
|
Validate that each field is within its allowed range. Also validate that the
maximum password age is greater than the minimum password length (if the maximum
password age is set).
I could not find these values documented anywhere in the WSPP docs. I used the
values shown in the W2K8 GPMC, as it appears that the GPMC actuaally performs
the validation of values.
|
|
If we cannot retrieve the value, do not assume a particular value. The fact
that we could not retrieve the value indicates a larger problem that we don't
want to make worse bypossibly clearing bit fields in the pwdProperties
attribute.
|
|
This ensures that all changes are made, or none are made. It also makes it
possible to do validation as we go and abort in case of an error, while always
leaving things in a consistent state.
|
|
Also changed all non-error status output to use the message() function, which
respects the --quiet option.
|
|
"LogonGetDomainInfo" call
They're needed only at the end.
|
|
"samdb_set_password" routine"
This reverts commit fdd62e9699b181a140292689fcd88a559bc26211.
abartlet and I agreed that this isn't the right way to enforce the password
policies. Sooner or later we've to control them anyway on the directory level.
|
|
|
|
We need to be more careful to do the cleanup functions for the right
backend. In future, these perhaps should be provided by the
ProvisionBackend class.
Andrew Bartlett
|
|
This means we now get passwords vampired correctly for s4<->s4
replication.
|
|
We have to bypass kludge_acl in replication as otherwise we aren't
allowed access to the password entries
|
|
|
|
Our vampire code sends a zero GUID in the updaterefs calls. Windows
seems to ignore the GUID and use the DN in the naming context instead,
so I have changed our UpdateRefs server implementation to do the same.
With this change we can now vampire from s4<->s4 successfully! Now to
see if all the attributes came across correctly.
|
|
|
|
|
|
|
|
This broke in Endi's patch for Fedora DS support
Andrew Bartlett
|
|
|
|
We were trying to encode strings like 'top' as integers, without first
looking them up in our schema. We need special handling for all the
attributes that contain attributeID_id or governsID_id fields that
should be translated first before encoding.
|
|
|
|
1. During instance creation the provisioning script will import the SASL
mapping for samba-admin. It's done here due to missing config schema
preventing adding the mapping via ldapi.
2. After that it will use ldif2db to import the cn=samba-admin user as
the target of SASL mapping.
3. Then it will start FDS and continue to do provisioning using the
Directory Manager with simple bind.
4. The SASL credentials will be stored in secrets.ldb, so when Samba
server runs later it will use the SASL credentials.
5. After the provisioning is done (just before stopping the slapd)
it will use the DM over direct ldapi to delete the default SASL
mappings included automatically by FDS, leaving just the new
samba-admin mapping.
6. Also before stopping slapd it will use the DM over direct ldapi to
set the ACL on the root entries of the user, configuration, and
schema partitions. The ACL will give samba-admin the full access
to these partitions.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
* test if oplocks are granted when requesting delete-on-close
* test how oplocks are broken by byte-range-lock requests
|
|
Allows "make test" and other harnesses to print cleaner output.
|
|
thanks to metze for pointing this out
|
|
|
|
These two arrays need to be in sync, as they are walked in sync by the
client
|
|
It is easier to understand without the heavy nesting
|
|
DsAddEntry now seems to work for simple tests
|
|
These will get quite complex eventually, I think we are better
separating them so the code is a bit easier to follow
|
|
The purpose of admin_session is to be able to execute parts of provisioning
as the user Administrator in order to have the correct group and owner in the
security descriptors. To be used for provisioning and tests only.
|
|
This patch implements DsReplicaSync by passing the call via irpc to
the repl server task. The repl server then triggers an immediate
replication of the specified partition.
This means we no longer need to set a small value for
dreplsrv:periodic_interval to force frequent DRS replication. We can
now wait for the DC to send us a ReplicaSync msg for any partition
that changes, and we immediately sync that partition.
|
|
I've found that w2k3 deletes the repsTo records we carefully created
in the vampire join if we don't refresh them frequently. After about
30mins all 3 repsTo records are gone.
This patch adds automatic refresh of the repsTo by calling
DSReplicaUpdateRefs every time we do a sync cycle with the server
|
|
Metze pointed out what the windows tool ldp.exe will examine repsTo
attributes on remote DCs, so we do in fact need to use the same format
that windows uses. This patch changes the server side implementation
of UpdateRefs to use the windows format
|
|
I think this is what windows DCs use to see that we are read-only, but
I am not sure. Needs more testing.
|
