From a0c595fc94a09a43f3ed314fb87705806a8a3495 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 31 Aug 2007 02:35:16 +0200 Subject: r24821: Update the mkrelease.sh script and mkversion.sh to make releasing correct Samba4 tarballs harder to screw up. Andrew Bartlett (This used to be commit b17e1c783216ed0b0975c1a2e7f2a6f95cd1ac33) --- source4/script/mkrelease.sh | 23 ++++++++++++++++++----- source4/script/mkversion.sh | 4 ++++ 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/source4/script/mkrelease.sh b/source4/script/mkrelease.sh index 8e2ac0fcb9..a6e7c8493b 100755 --- a/source4/script/mkrelease.sh +++ b/source4/script/mkrelease.sh @@ -1,11 +1,24 @@ #!/bin/sh -VERSION=$1 +TMPDIR=`mktemp samba-XXXXX` +rm $TMPDIR || exit 1 +svn export . $TMPDIR || exit 1 -svn export . samba-$VERSION || exit 1 - -( cd samba-$VERSION/source +( cd $TMPDIR/source ./autogen.sh || exit 1 ./configure || exit 1 make dist || exit 1 -) && tar -zcf samba-$VERSION.tar.gz samba-$VERSION +) || exit 1 + +VERSION=`sed -n 's/^SAMBA_VERSION_STRING=//p' $TMPDIR/source/version.h` +mv $TMPDIR samba-$VERSION || exit 1 +tar -cf samba-$VERSION.tar samba-$VERSION || exit 1 +echo "Now run: " +echo "gpg --detach-sign --armor samba-$VERSION.tar" +echo "gzip samba-$VERSION.tar" +echo "And then upload " +echo "samba-$VERSION.tar.gz samba-$VERSION.tar.asc" +echo "to pub/samba/samba4/ on samba.org" + + + diff --git a/source4/script/mkversion.sh b/source4/script/mkversion.sh index d29e8bcb94..91c7894cdb 100755 --- a/source4/script/mkversion.sh +++ b/source4/script/mkversion.sh @@ -174,6 +174,10 @@ if test -n "${SAMBA_VERSION_VENDOR_SUFFIX}";then fi fi +echo "/* Version for mkrelease.sh: " >> $OUTPUT_FILE +echo "SAMBA_VERSION_STRING=$SAMBA_VERSION_STRING" >> $OUTPUT_FILE +echo "*/" >> $OUTPUT_FILE + ## ## Add a release nickname ## -- cgit From 5f9077c5497ead237063c4d91186dc747e8bdc83 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 31 Aug 2007 06:48:32 +0200 Subject: r24823: Without any better ideas as to how to fill out the WHATSNEW, I've stolen the text from the first TP. Comments welcome... Andrew Bartlett (This used to be commit 3db7721ae16c65d93b13f55a84946fb5d2faa5b7) --- WHATSNEW.txt | 102 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 100 insertions(+), 2 deletions(-) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 6c0835883d..9975bfbe7d 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,6 +1,66 @@ -The Samba Team is proud to present our first alpha release of Samba4. +What's new in Samba 4 alpha1 +============================ -Samba4 aims to be a compatible replacement for +Samba 4 is the ambitious next version of the Samba suite that is being +developed in parallel to the stable 3.0 series. The main emphasis in +this branch is support for the Active Directory logon protocols used +by Windows 2000 and above. + +Samba 4 is currently not yet in a state where it is usable in +production environments. Note the WARNINGS below, and the STATUS file, +which aims to document what should and should not work. + +Samba4 alpha1 is the culmination of 4.5 years of development under our +belt since Tridge first proposed a new Virtual File System (VFS) layer +for Samba3 (a project which eventually lead to our Active Directory +efforts), and 1.5 years since we first released a Technology Preview, +we wish to allow users, managers and developers to see how we have +progressed, and to invite feedback and support. + +WARNINGS +======== + +Samba4 alpha1 is not a final Samba release. We recommend against +upgrading any production servers from Samba 3 to Samba 4 at this +stage. If you are upgrading an experimental server, you should backup +all configuration and data. + +NEW FEATURES +============ + +Samba4 supports the server-side of the Active Directory logon environment +used by Windows 2000 and later, so we can do full domain join +and domain logon operations with these clients. + +Our Domain Controller (DC) implementation includes our own built-in +LDAP server and Kerberos Key Distribution Center (KDC) as well as the +Samba3-like logon services provided over CIFS. We correctly generate +the infamous Kerberos PAC, and include it with the Kerberos tickets we +issue. + +SWAT is now integrated into Samba 4 as the user-friendly interface to +Samba server management. SWAT provides easy provides access to our +setup and migration tools. Using SWAT, you can migrate windows +domains in Samba 4, allowing easy setup of initial user databases. + +The new VFS features in Samba 4 adapts the filesystem on the server to +match the Windows client semantics, allowing Samba 4 to better match +windows behaviour and application expectations. This includes file +annotation information (in streams) and NT ACLs in particular. The +VFS is backed with an extensive automated test suite. + +A new scripting interface has been added to Samba 4, allowing +JavaScript programs to interface to Samba's internals. + +The Samba 4 architecture is based around an LDAP-like database that +can use a range of modular backends. One of the backends supports +standards compliant LDAP servers (including OpenLDAP), and we are +working on modules to map between AD-like behaviours and this backend. +We are aiming for Samba 4 to be powerful frontend to large +directories. + +CHANGES SINCE TP5 +================= In the time since TP5 was released in June 2007, Samba has continued to evolve, but you may particularly notice these areas: @@ -24,4 +84,42 @@ These are just some of the highlights of the work done in the past few months. More details can be found in our SVN history. +CHANGES +======= + +Those familiar with Samba 3 can find a list of user-visible changes +since that release series in the NEWS file. + +KNOWN ISSUES +============ + +- Domain member support is in it's infancy, and is not comprable to + the support found in Samba3. + +- There is no printing support in the current release. + +- Support for managing groups is currently poor (as the + memberOf/member linked attributes are not kept in sync). + +- Renaming and deleting subtrees (containers) in the the LDB tree will + have unexpected results. + +- The Samba4 port of the CTDB clustering support is not yet complete + +RUNNING Samba4 +============== + +A short guide to setting up Samba 4 can be found in the howto.txt file +in root of the tarball. + +DEVELOPMENT and FEEDBACK +======================== +Bugs can be filed at https://bugzilla.samba.org/. Please +look at the STATUS file before filing a bug to see if a particular +is supposed to work yet. + +Development and general discussion about Samba 4 happens mainly on +the #samba-technical IRC channel (on irc.freenode.net) and +the samba-technical mailing list (see http://lists.samba.org/ for +details). -- cgit From 00f1c64913fed4ad162b99bbe87557820eb4de97 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 31 Aug 2007 23:13:18 +0200 Subject: r24858: Make the 'vampire' code work again - clearly nobody uses this... Andrew Bartlett (This used to be commit 6961ab9291d719fa556d116b60d186cf1110c249) --- webapps/install/vampire.esp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/webapps/install/vampire.esp b/webapps/install/vampire.esp index e0c895404c..d5b7a73c53 100644 --- a/webapps/install/vampire.esp +++ b/webapps/install/vampire.esp @@ -51,7 +51,11 @@ if (session.authinfo.user_class == "ADMINISTRATOR" } if (form['submit'] == "Migrate") { + /* overcome an initially blank smb.conf */ lp.set("realm", subobj.REALM); + lp.set("workgroup", subobj.DOMAIN); + lp.reload(); + if (subobj.ADMINPASS == "") { write("

We need the administrator password for the " + subobj.DOMAIN + " domain to proceed. Please try again.

"); f.display(); -- cgit From 6e3ed3758f10ec3d8452202bcd5306a8a50cdbd9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 2 Sep 2007 23:29:48 +0200 Subject: r24910: Merge named.conf patch by Andrew Kroeger into release branch. Andrew Bartlett (This used to be commit 413af0aa02df1d0b8b3998253d4375364cc6899a) --- source4/setup/named.conf | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/source4/setup/named.conf b/source4/setup/named.conf index 2513632a47..6f97adf644 100644 --- a/source4/setup/named.conf +++ b/source4/setup/named.conf @@ -4,7 +4,7 @@ # #insert this into options {} -tkey-gssapi-credential "DNS/${DNSDOMAIN}" +tkey-gssapi-credential "DNS/${DNSDOMAIN}"; tkey-domain "${REALM}"; #the zone file @@ -19,9 +19,18 @@ zone "${DNSDOMAIN}." IN { }; # Also, you need to change your init scripts to set this environment variable -# for named: KRB_KTNAME so that it points to the keytab generated. +# for named: KRB5_KTNAME so that it points to the keytab generated. # In RedHat derived systems such RHEL/CentOS/Fedora you can add the following -# line to the /etc/sysconfig/named file -# export KRB_KTNAME=/etc/named.keytab - -# *TODO*: generate and install a keytab file in /etc/named.keytab +# line to the /etc/sysconfig/named file: +# export KRB5_KTNAME=${DNS_KEYTAB} +# +# Please note that most distributions have BIND configured to run under +# a non-root user account. For example, Fedora Core 6 (FC6) runs BIND as +# the user "named" once the daemon relinquishes its rights. Therefore, +# the file "dns.keytab" must be readable by the user that BIND run as. +# If BIND is running as a non-root user, the "dns.keytab" file must have its +# permissions altered to allow thge daemon to read it. In the FC6 +# example, execute the commands: +# +# chgrp named /usr/local/samba/private/dns.keytab +# chmod g+r /usr/local/samba/private/dns.keytab -- cgit From 3afdc12b96c0e249a9e4ff665c3b2147a99381a9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 2 Sep 2007 23:43:25 +0200 Subject: r24912: Merge 'use more substituted variables' patch to release branch. Andrew Bartlett (This used to be commit 075147ff1c2679b74d6e28c3ca401453b684bee0) --- source4/setup/named.conf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/source4/setup/named.conf b/source4/setup/named.conf index 6f97adf644..17beb7a2d7 100644 --- a/source4/setup/named.conf +++ b/source4/setup/named.conf @@ -22,15 +22,15 @@ zone "${DNSDOMAIN}." IN { # for named: KRB5_KTNAME so that it points to the keytab generated. # In RedHat derived systems such RHEL/CentOS/Fedora you can add the following # line to the /etc/sysconfig/named file: -# export KRB5_KTNAME=${DNS_KEYTAB} +# export KRB5_KTNAME=${DNS_KEYTAB_ABS} # # Please note that most distributions have BIND configured to run under # a non-root user account. For example, Fedora Core 6 (FC6) runs BIND as # the user "named" once the daemon relinquishes its rights. Therefore, -# the file "dns.keytab" must be readable by the user that BIND run as. -# If BIND is running as a non-root user, the "dns.keytab" file must have its +# the file "${DNS_KEYTAB}" must be readable by the user that BIND run as. +# If BIND is running as a non-root user, the "${DNS_KEYTAB}" file must have its # permissions altered to allow thge daemon to read it. In the FC6 # example, execute the commands: # -# chgrp named /usr/local/samba/private/dns.keytab -# chmod g+r /usr/local/samba/private/dns.keytab +# chgrp named ${DNS_KEYTAB_ABS} +# chmod g+r ${DNS_KEYTAB_ABS} -- cgit From 34e3445c60dba4638e21042ac8356007c1d27f4a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 3 Sep 2007 04:14:54 +0200 Subject: r24916: (merge to release branch) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In response to bug #4892 by Matthias Wallnöfer allow the objectclass module to reconstruct the objectclass hierarchy, rather than using templates. The issue being fixed in particular is that 'top' was not being set on containers. This should ensure we do this right for all objects. Andrew Bartlett (This used to be commit eeaa6f82492f2ec5f6595d93451c1429c4f6947e) --- source4/dsdb/samdb/ldb_modules/objectclass.c | 46 +++++++++++++++++++---- source4/dsdb/samdb/ldb_modules/samldb.c | 21 ++--------- source4/dsdb/samdb/samdb.c | 55 +++++++++++----------------- source4/setup/provision_templates.ldif | 30 --------------- 4 files changed, 63 insertions(+), 89 deletions(-) diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index 04cf8efdb2..f2ca92638d 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -92,6 +92,7 @@ static struct ldb_handle *oc_init_handle(struct ldb_request *req, struct ldb_mod } static int objectclass_sort(struct ldb_module *module, + struct ldb_message *msg, /* so that when we create new elements, we put it on the right parent */ TALLOC_CTX *mem_ctx, struct ldb_message_element *objectclass_element, struct class_list **sorted_out) @@ -100,7 +101,7 @@ static int objectclass_sort(struct ldb_module *module, int layer; const struct dsdb_schema *schema = dsdb_get_schema(module->ldb); struct class_list *sorted = NULL, *parent_class = NULL, - *subclass = NULL, *unsorted = NULL, *current, *poss_subclass; + *subclass = NULL, *unsorted = NULL, *current, *poss_subclass, *poss_parent, *new_parent; /* DESIGN: * * We work on 4 different 'bins' (implemented here as linked lists): @@ -149,6 +150,34 @@ static int objectclass_sort(struct ldb_module *module, } } + if (parent_class == NULL) { + current = talloc(mem_ctx, struct class_list); + current->objectclass = talloc_strdup(msg, "top"); + DLIST_ADD_END(parent_class, current, struct class_list *); + } + + /* For each object: find parent chain */ + for (current = unsorted; schema && current; current = current->next) { + const struct dsdb_class *class = dsdb_class_by_lDAPDisplayName(schema, current->objectclass); + if (!class) { + ldb_asprintf_errstring(module->ldb, "objectclass %s is not a valid objectClass in schema", current->objectclass); + return LDB_ERR_OBJECT_CLASS_VIOLATION; + } + for (poss_parent = unsorted; poss_parent; poss_parent = poss_parent->next) { + if (ldb_attr_cmp(poss_parent->objectclass, class->subClassOf) == 0) { + break; + } + } + /* If we didn't get to the end of the list, we need to add this parent */ + if (poss_parent || (ldb_attr_cmp("top", class->subClassOf) == 0)) { + continue; + } + + new_parent = talloc(mem_ctx, struct class_list); + new_parent->objectclass = talloc_strdup(msg, class->subClassOf); + DLIST_ADD_END(unsorted, new_parent, struct class_list *); + } + /* DEBUGGING aid: how many layers are we down now? */ layer = 0; do { @@ -265,11 +294,6 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req) return LDB_ERR_OPERATIONS_ERROR; } - ret = objectclass_sort(module, mem_ctx, objectclass_element, &sorted); - if (ret != LDB_SUCCESS) { - return ret; - } - /* prepare the first operation */ down_req = talloc(req, struct ldb_request); if (down_req == NULL) { @@ -287,6 +311,12 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req) return LDB_ERR_OPERATIONS_ERROR; } + ret = objectclass_sort(module, msg, mem_ctx, objectclass_element, &sorted); + if (ret != LDB_SUCCESS) { + talloc_free(mem_ctx); + return ret; + } + ldb_msg_remove_attr(msg, "objectClass"); ret = ldb_msg_add_empty(msg, "objectClass", 0, NULL); @@ -398,7 +428,7 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req return LDB_ERR_OPERATIONS_ERROR; } - ret = objectclass_sort(module, mem_ctx, objectclass_element, &sorted); + ret = objectclass_sort(module, msg, mem_ctx, objectclass_element, &sorted); if (ret != LDB_SUCCESS) { return ret; } @@ -579,7 +609,7 @@ static int objectclass_do_mod(struct ldb_handle *h) { /* modify dn */ msg->dn = ac->orig_req->op.mod.message->dn; - ret = objectclass_sort(ac->module, mem_ctx, objectclass_element, &sorted); + ret = objectclass_sort(ac->module, msg, mem_ctx, objectclass_element, &sorted); if (ret != LDB_SUCCESS) { return ret; } diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index d448e30b31..5342c14967 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -411,7 +411,7 @@ static int samldb_fill_group_object(struct ldb_module *module, const struct ldb_ } ret = samdb_copy_template(module->ldb, msg2, - "(&(CN=TemplateGroup)(objectclass=groupTemplate))", + "group", &errstr); if (ret != 0) { @@ -476,7 +476,7 @@ static int samldb_fill_user_or_computer_object(struct ldb_module *module, const if (samdb_find_attribute(module->ldb, msg, "objectclass", "computer") != NULL) { ret = samdb_copy_template(module->ldb, msg2, - "(&(CN=TemplateComputer)(objectclass=userTemplate))", + "computer", &errstr); if (ret) { ldb_asprintf_errstring(module->ldb, @@ -486,22 +486,9 @@ static int samldb_fill_user_or_computer_object(struct ldb_module *module, const talloc_free(mem_ctx); return ret; } - - /* readd user and then computer objectclasses */ - ret = samdb_find_or_add_value(module->ldb, msg2, "objectclass", "user"); - if (ret) { - talloc_free(mem_ctx); - return ret; - } - ret = samdb_find_or_add_value(module->ldb, msg2, "objectclass", "computer"); - if (ret) { - talloc_free(mem_ctx); - return ret; - } - } else { ret = samdb_copy_template(module->ldb, msg2, - "(&(CN=TemplateUser)(objectclass=userTemplate))", + "user", &errstr); if (ret) { ldb_asprintf_errstring(module->ldb, @@ -582,7 +569,7 @@ static int samldb_fill_foreignSecurityPrincipal_object(struct ldb_module *module } ret = samdb_copy_template(module->ldb, msg2, - "(&(CN=TemplateForeignSecurityPrincipal)(objectclass=foreignSecurityPrincipalTemplate))", + "ForeignSecurityPrincipal", &errstr); if (ret != 0) { ldb_asprintf_errstring(module->ldb, diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index 7a20ea8665..18669a2ae7 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -680,7 +680,7 @@ int samdb_find_or_add_attribute(struct ldb_context *ldb, struct ldb_message *msg copy from a template record to a message */ int samdb_copy_template(struct ldb_context *ldb, - struct ldb_message *msg, const char *filter, + struct ldb_message *msg, const char *name, const char **errstring) { struct ldb_result *res; @@ -690,15 +690,20 @@ int samdb_copy_template(struct ldb_context *ldb, *errstring = NULL; + if (!ldb_dn_add_child_fmt(basedn, "CN=Template%s", name)) { + return LDB_ERR_OPERATIONS_ERROR; + } + /* pull the template record */ - ret = ldb_search(ldb, basedn, LDB_SCOPE_SUBTREE, filter, NULL, &res); + ret = ldb_search(ldb, basedn, LDB_SCOPE_BASE, "cn=*", NULL, &res); talloc_free(basedn); if (ret != LDB_SUCCESS) { *errstring = talloc_steal(msg, ldb_errstring(ldb)); return ret; } if (res->count != 1) { - *errstring = talloc_asprintf(msg, "samdb_copy_template: ERROR: template '%s' matched %d records, expected 1\n", filter, + *errstring = talloc_asprintf(msg, "samdb_copy_template: ERROR: template '%s' matched %d records, expected 1\n", + name, res->count); talloc_free(res); return LDB_ERR_OPERATIONS_ERROR; @@ -708,40 +713,22 @@ int samdb_copy_template(struct ldb_context *ldb, for (i = 0; i < t->num_elements; i++) { struct ldb_message_element *el = &t->elements[i]; /* some elements should not be copied from the template */ - if (strcasecmp(el->name, "cn") == 0 || - strcasecmp(el->name, "name") == 0 || - strcasecmp(el->name, "sAMAccountName") == 0 || - strcasecmp(el->name, "sAMAccountName") == 0 || - strcasecmp(el->name, "distinguishedName") == 0 || - strcasecmp(el->name, "objectGUID") == 0) { + if (ldb_attr_cmp(el->name, "cn") == 0 || + ldb_attr_cmp(el->name, "name") == 0 || + ldb_attr_cmp(el->name, "objectClass") == 0 || + ldb_attr_cmp(el->name, "sAMAccountName") == 0 || + ldb_attr_cmp(el->name, "sAMAccountName") == 0 || + ldb_attr_cmp(el->name, "distinguishedName") == 0 || + ldb_attr_cmp(el->name, "objectGUID") == 0) { continue; } for (j = 0; j < el->num_values; j++) { - if (strcasecmp(el->name, "objectClass") == 0) { - if (strcasecmp((char *)el->values[j].data, "Template") == 0 || - strcasecmp((char *)el->values[j].data, "userTemplate") == 0 || - strcasecmp((char *)el->values[j].data, "groupTemplate") == 0 || - strcasecmp((char *)el->values[j].data, "foreignSecurityPrincipalTemplate") == 0 || - strcasecmp((char *)el->values[j].data, "aliasTemplate") == 0 || - strcasecmp((char *)el->values[j].data, "trustedDomainTemplate") == 0 || - strcasecmp((char *)el->values[j].data, "secretTemplate") == 0) { - continue; - } - ret = samdb_find_or_add_value(ldb, msg, el->name, - (char *)el->values[j].data); - if (ret) { - *errstring = talloc_asprintf(msg, "Adding objectClass %s failed.\n", el->values[j].data); - talloc_free(res); - return ret; - } - } else { - ret = samdb_find_or_add_attribute(ldb, msg, el->name, - (char *)el->values[j].data); - if (ret) { - *errstring = talloc_asprintf(msg, "Adding attribute %s failed.\n", el->name); - talloc_free(res); - return ret; - } + ret = samdb_find_or_add_attribute(ldb, msg, el->name, + (char *)el->values[j].data); + if (ret) { + *errstring = talloc_asprintf(msg, "Adding attribute %s failed.\n", el->name); + talloc_free(res); + return ret; } } } diff --git a/source4/setup/provision_templates.ldif b/source4/setup/provision_templates.ldif index 914582eaf0..fa0718a0b7 100644 --- a/source4/setup/provision_templates.ldif +++ b/source4/setup/provision_templates.ldif @@ -12,11 +12,6 @@ isCriticalSystemObject: TRUE ### dn: CN=TemplateUser,CN=Templates -objectClass: top -objectClass: person -objectClass: organizationalPerson -objectClass: Template -objectClass: userTemplate userAccountControl: 514 badPwdCount: 0 codePage: 0 @@ -31,11 +26,6 @@ logonCount: 0 sAMAccountType: 805306368 dn: CN=TemplateComputer,CN=Templates -objectClass: top -objectClass: person -objectClass: organizationalPerson -objectClass: Template -objectClass: userTemplate userAccountControl: 4098 badPwdCount: 0 codePage: 0 @@ -50,9 +40,6 @@ logonCount: 0 sAMAccountType: 805306369 dn: CN=TemplateTrustingDomain,CN=Templates -objectClass: top -objectClass: Template -objectClass: userTemplate userAccountControl: 2080 badPwdCount: 0 codePage: 0 @@ -66,38 +53,21 @@ logonCount: 0 sAMAccountType: 805306370 dn: CN=TemplateGroup,CN=Templates -objectClass: top -objectClass: Template -objectClass: groupTemplate groupType: -2147483646 sAMAccountType: 268435456 # Currently this isn't used, we don't have a way to detect it different from an incoming alias # # dn: CN=TemplateAlias,CN=Templates -# objectClass: top -# objectClass: Template -# objectClass: aliasTemplate # cn: TemplateAlias # instanceType: 4 # groupType: -2147483644 # sAMAccountType: 268435456 dn: CN=TemplateForeignSecurityPrincipal,CN=Templates -objectClass: top -objectClass: Template -objectClass: foreignSecurityPrincipalTemplate showInAdvancedViewOnly: TRUE dn: CN=TemplateSecret,CN=Templates -objectClass: top -objectClass: leaf -objectClass: Template -objectClass: secretTemplate dn: CN=TemplateTrustedDomain,CN=Templates -objectClass: top -objectClass: leaf -objectClass: Template -objectClass: trustedDomainTemplate -- cgit From d9f4fda0823caa56576368037e5f3825dcf8897d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 3 Sep 2007 05:36:19 +0200 Subject: r24917: More thoughts on Samba4 release notes, readme etc. Andrew Bartlett (This used to be commit 69c31936104bd3ed19a622a0c7ef0fb36f185b17) --- NEWS | 7 --- README | 136 ----------------------------------------------------------- WHATSNEW.txt | 26 ++++++++---- 3 files changed, 17 insertions(+), 152 deletions(-) delete mode 100644 README diff --git a/NEWS b/NEWS index dd01091921..829f946b3e 100644 --- a/NEWS +++ b/NEWS @@ -22,13 +22,6 @@ Introduction of LDB Samba now stores most of its persistent data in a LDAP-like database called LDB (see ldb(7) for more info). -Much improved SWAT -================== -SWAT has had some rather large improvements and is now more than just a -direct editor for smb.conf. Its layout has been improved. SWAT can now also -be used for editing run-time data - maintaining user information, provisioning, -etc. TLS is supported out of the box. - Built-in KDC ============ Samba4 ships with an integrated KDC (Kerberos Key Distribution diff --git a/README b/README deleted file mode 100644 index 596dbd570c..0000000000 --- a/README +++ /dev/null @@ -1,136 +0,0 @@ -Samba 4 is the ambitious next version of the Samba suite that is being -developed in parallel to the stable 3.0 series. The main emphasis in -this branch is support for the Active Directory logon protocols used -by Windows 2000 and above. - -While we welcome your interest in Samba 4, we don't want you to run your network with it quite yet. Please note the WARNINGS below, and the STATUS file, -which aims to document what should and should not work. - -With 4 years of development under our belt since Tridge first proposed -a new Virtual File System (VFS) layer for Samba3 (a project which -eventually lead to our Active Directory efforts), we felt that we -should create something we could 'show off' to our users. This is a -Technology Preview (TP), aimed at allowing you, our users, managers and -developers to see how we have progressed, and to invite your feedback and -support. - -WARNINGS -======== - -Samba4 TP is currently a pre-alpha technology. That is more a -reference to Samba4's lack of the features we expect you will need -than a statement of code quality, but clearly it hasn't seen a broad -deployment yet. If you were to upgrade Samba3 (or indeed Windows) to -Samba4, you would find many things work, but that other key features -you may have relied on simply are not there yet. - -For example, while Samba 3.0 is an excellent member of a Active -Directory domain, Samba4 is happier as a domain controller: (This is -where we have done most of the research and development). - -While Samba4 is subjected to an awesome battery of tests on an -automated basis, and we have found Samba4 to be very stable in it's -behaviour, we have to recommend against upgrading production servers -from Samba 3 to Samba 4 at this stage. If you are upgrading an -experimental server, or looking to develop and test Samba, you should -backup all configuration and data. - -As we research the needs of Active Directory integration more closely, -we may need to change the format of the user database, in particular -as we begin to understand how the attributes are generated and stored. -At a worst case, we expect users will be able to extract the stored -data as LDIF and hand munge it, but until we make an alpha release, we -won't do this automatically. Indeed, many module changes are simply -easier to cope with if you just re-provision after the upgrade. - -We value the security of your computers, and so we must warn you that -Samba 4 Technology Preview includes basic Access Control List (ACL) -protection on the main user database, but due to time constraints, -none on the registry at this stage. We also do not currently have -ACLs on the SWAT web-based management tool. This means that Samba 4 -Technology Preview is not secure, and should not be exposed to -untrusted networks. - -Within the above proviso, file system access should occur as the -logged in user, much as Samba3 does. - -As such, we must strongly recommend against using Samba4 in a -production environment at this stage. - -NEW FEATURES -============ - -Samba4 supports the server-side of the Active Directory logon environment -used by Windows 2000 and later, so we can do full domain join -and domain logon operations with these clients. - -Our Domain Controller (DC) implementation includes our own built-in -LDAP server and Kerberos Key Distribution Centre (KDC) as well as the -Samba3-like logon services provided over CIFS. We correctly generate -the infamous Kerberos PAC, and include it with the Kerberos tickets we -issue. - -SWAT is now integrated into Samba 4 as the user-friendly interface to -Samba server management. SWAT provides easy access to our -setup and migration tools. Using SWAT, you can migrate windows -domains in Samba 4, allowing easy setup of initial user databases, and -upgrades from Samba 3. - -The new VFS features in Samba 4 adapts the file-system on the server to -match the Windows client semantics, allowing Samba 4 to better match -windows behaviour and application expectations. This includes file -annotation information (in streams) and NT ACLs in particular. The -VFS is backed with an extensive automated test suite. - -A new scripting interface has been added to Samba 4, allowing -JavaScript programs to interface to Samba's internals. - -The Samba 4 architecture is based around an LDAP-like database that -can use a range of modular backends. One of the backends supports -standards compliant LDAP servers (including OpenLDAP), and we are -working on modules to map between AD-like behaviours and this back-end. -We are aiming for Samba 4 to be powerful front-end to large -directories. - -CHANGES -======= - -Those familiar with Samba 3 can find a list of user-visible changes -since that release series in the NEWS file. - - - An optional password is no longer supported as the second argument to - smbclient. - - - The default location of smb.conf in non-FHS builds has changed from the - PREFIX/lib directory to the PREFIX/etc directory. - -KNOWN ISSUES -============ - -- Standalone server and domain member roles are not currently - supported. While we have much of the infrastructure required, we - have not collected these pieces together. - -- There is no printing support in the current release. - -- SWAT can be painful with and forms. Just use the mouse, as - the JavaScript layer doing this will change. - -RUNNING Samba4 -============== - -A short guide to setting up Samba 4 can be found in the howto.txt file -in root of the tarball. - -DEVELOPMENT and FEEDBACK -======================== -Bugs can be filed at https://bugzilla.samba.org/. Please -look at the STATUS file before filing a bug to see if a particular -is supposed to work yet. - -Development and general discussion about Samba 4 happens mainly on -the #samba-technical IRC channel (on irc.freenode.net) and -the samba-technical mailing list (see http://lists.samba.org/ for -details). - - diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 9975bfbe7d..a392f0a234 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -20,10 +20,23 @@ progressed, and to invite feedback and support. WARNINGS ======== -Samba4 alpha1 is not a final Samba release. We recommend against -upgrading any production servers from Samba 3 to Samba 4 at this -stage. If you are upgrading an experimental server, you should backup -all configuration and data. +Samba4 alpha1 is not a final Samba release. That is more a reference +to Samba4's lack of the features we expect you will need than a +statement of code quality, but clearly it hasn't seen a broad +deployment yet. If you were to upgrade Samba3 (or indeed Windows) to +Samba4, you would find many things work, but that other key features +you may have relied on simply are not there yet. + +For example, while Samba 3.0 is an excellent member of a Active +Directory domain, Samba4 is happier as a domain controller: (This is +where we have done most of the research and development). + +While Samba4 is subjected to an awesome battery of tests on an +automated basis, and we have found Samba4 to be very stable in it's +behaviour, we have to recommend against upgrading production servers +from Samba 3 to Samba 4 at this stage. If you are upgrading an +experimental server, or looking to develop and test Samba, you should +backup all configuration and data. NEW FEATURES ============ @@ -38,11 +51,6 @@ Samba3-like logon services provided over CIFS. We correctly generate the infamous Kerberos PAC, and include it with the Kerberos tickets we issue. -SWAT is now integrated into Samba 4 as the user-friendly interface to -Samba server management. SWAT provides easy provides access to our -setup and migration tools. Using SWAT, you can migrate windows -domains in Samba 4, allowing easy setup of initial user databases. - The new VFS features in Samba 4 adapts the filesystem on the server to match the Windows client semantics, allowing Samba 4 to better match windows behaviour and application expectations. This includes file -- cgit From eca74dfd1733fda116ddfd9f75f3aff42d8f580d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 3 Sep 2007 07:58:18 +0200 Subject: r24919: Merge build fix and improved error strings to release branch. Andrew Bartlett (This used to be commit f189553db73c7d93d30cfa36073d86be14427f13) --- source4/dsdb/samdb/samdb.c | 6 ++++-- source4/rpc_server/lsa/dcesrv_lsa.c | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index 18669a2ae7..17c40dd30d 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -691,6 +691,8 @@ int samdb_copy_template(struct ldb_context *ldb, *errstring = NULL; if (!ldb_dn_add_child_fmt(basedn, "CN=Template%s", name)) { + *errstring = talloc_asprintf(msg, "samdb_copy_template: ERROR: Failed to contruct DN for template '%s'", + name); return LDB_ERR_OPERATIONS_ERROR; } @@ -702,7 +704,7 @@ int samdb_copy_template(struct ldb_context *ldb, return ret; } if (res->count != 1) { - *errstring = talloc_asprintf(msg, "samdb_copy_template: ERROR: template '%s' matched %d records, expected 1\n", + *errstring = talloc_asprintf(msg, "samdb_copy_template: ERROR: template '%s' matched %d records, expected 1", name, res->count); talloc_free(res); @@ -726,7 +728,7 @@ int samdb_copy_template(struct ldb_context *ldb, ret = samdb_find_or_add_attribute(ldb, msg, el->name, (char *)el->values[j].data); if (ret) { - *errstring = talloc_asprintf(msg, "Adding attribute %s failed.\n", el->name); + *errstring = talloc_asprintf(msg, "Adding attribute %s failed.", el->name); talloc_free(res); return ret; } diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index 72f12564ed..531cfc49e5 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -2284,7 +2284,7 @@ static NTSTATUS dcesrv_lsa_CreateSecret(struct dcesrv_call_state *dce_call, TALL /* pull in all the template attributes. Note this is always from the global samdb */ ret = samdb_copy_template(secret_state->policy->sam_ldb, msg, - "(&(cn=TemplateSecret)(objectclass=secretTemplate))", &errstr); + "secret", &errstr); if (ret != 0) { DEBUG(0,("Failed to load TemplateSecret from samdb: %s\n", errstr)); -- cgit From 78c4d54221195c80ce06670a73600bf2743f399f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 4 Sep 2007 05:57:54 +0200 Subject: r24944: Merge acct_expiry fix to release branch. Andrew Bartlett (This used to be commit 9cc19bcc37eaef380c83c5a69cef38f351a0c72f) --- source4/rpc_server/samr/dcesrv_samr.c | 13 ++++++++----- source4/torture/rpc/samr.c | 5 +++++ 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c index da1054efce..fcc52afc03 100644 --- a/source4/rpc_server/samr/dcesrv_samr.c +++ b/source4/rpc_server/samr/dcesrv_samr.c @@ -3363,7 +3363,9 @@ static NTSTATUS dcesrv_samr_SetUserInfo(struct dcesrv_call_state *dce_call, TALL break; case 21: -#define IFSET(bit) if (bit & r->in.info->info21.fields_present) +#define IFSET(bit) if (bit & r->in.info->info21.fields_present) + IFSET(SAMR_FIELD_ACCT_EXPIRY) + SET_UINT64(msg, info21.acct_expiry, "accountExpires"); IFSET(SAMR_FIELD_ACCOUNT_NAME) SET_STRING(msg, info21.account_name, "samAccountName"); IFSET(SAMR_FIELD_FULL_NAME) @@ -3391,15 +3393,14 @@ static NTSTATUS dcesrv_samr_SetUserInfo(struct dcesrv_call_state *dce_call, TALL IFSET(SAMR_FIELD_COUNTRY_CODE) SET_UINT (msg, info21.country_code, "countryCode"); IFSET(SAMR_FIELD_CODE_PAGE) - SET_UINT (msg, info21.code_page, "codePage"); - - - /* Any reason the rest of these can't be set? */ + SET_UINT (msg, info21.code_page, "codePage"); #undef IFSET break; case 23: #define IFSET(bit) if (bit & r->in.info->info23.info.fields_present) + IFSET(SAMR_FIELD_ACCT_EXPIRY) + SET_UINT64(msg, info23.info.acct_expiry, "accountExpires"); IFSET(SAMR_FIELD_ACCOUNT_NAME) SET_STRING(msg, info23.info.account_name, "samAccountName"); IFSET(SAMR_FIELD_FULL_NAME) @@ -3454,6 +3455,8 @@ static NTSTATUS dcesrv_samr_SetUserInfo(struct dcesrv_call_state *dce_call, TALL case 25: #define IFSET(bit) if (bit & r->in.info->info25.info.fields_present) + IFSET(SAMR_FIELD_ACCT_EXPIRY) + SET_UINT64(msg, info25.info.acct_expiry, "accountExpires"); IFSET(SAMR_FIELD_ACCOUNT_NAME) SET_STRING(msg, info25.info.account_name, "samAccountName"); IFSET(SAMR_FIELD_FULL_NAME) diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c index a07a39e078..8d3164967a 100644 --- a/source4/torture/rpc/samr.c +++ b/source4/torture/rpc/samr.c @@ -386,6 +386,11 @@ static BOOL test_SetUserInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, TEST_USERINFO_INT(21, code_page, 21, code_page, __LINE__, SAMR_FIELD_CODE_PAGE); + TEST_USERINFO_INT(17, acct_expiry, 21, acct_expiry, __LINE__, 0); + TEST_USERINFO_INT(17, acct_expiry, 5, acct_expiry, __LINE__, 0); + TEST_USERINFO_INT(21, acct_expiry, 21, acct_expiry, __LINE__, + SAMR_FIELD_ACCT_EXPIRY); + TEST_USERINFO_INT(4, logon_hours.bits[3], 3, logon_hours.bits[3], 1, 0); TEST_USERINFO_INT(4, logon_hours.bits[3], 5, logon_hours.bits[3], 2, 0); TEST_USERINFO_INT(4, logon_hours.bits[3], 21, logon_hours.bits[3], 3, 0); -- cgit From b0b1f6510c3e04d35d415b463eb7b720507a554d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 4 Sep 2007 09:15:16 +0200 Subject: r24947: Forgot to merge this to release branch, so we got weird subs in named.conf example. Andrew Bartlett (This used to be commit 7ecedd050038855c65d57ac66e8f6d8890038cf0) --- source4/scripting/libjs/provision.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source4/scripting/libjs/provision.js b/source4/scripting/libjs/provision.js index ca0fedf97b..fd6de2695f 100644 --- a/source4/scripting/libjs/provision.js +++ b/source4/scripting/libjs/provision.js @@ -380,6 +380,7 @@ function provision_default_paths(subobj) paths.secrets = lp.get("secrets database"); paths.keytab = "secrets.keytab"; paths.dns_keytab = "dns.keytab"; + paths.dns_keytab_abs = lp.get("private dir") + "/" + paths.dns_keytab; paths.dns = lp.get("private dir") + "/" + dnsdomain + ".zone"; paths.named_conf = lp.get("private dir") + "/named.conf"; paths.winsdb = "wins.ldb"; @@ -478,6 +479,7 @@ function provision_fix_subobj(subobj, paths) subobj.SAM_LDB = "tdb://" + paths.samdb; subobj.SECRETS_KEYTAB = paths.keytab; subobj.DNS_KEYTAB = paths.dns_keytab; + subobj.DNS_KEYTAB_ABS = paths.dns_keytab_abs; subobj.LDAPDIR = paths.ldapdir; var ldap_path_list = split("/", paths.ldapdir); -- cgit From dd5fa4d226ea20d0051f7fd676fbea0e2902789d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 4 Sep 2007 23:47:00 +0200 Subject: r24958: This is the final text, and the final version. I'll send the release mail shortly. Andrew Bartlett (This used to be commit 42c07d0d74a54f469ff6c8229454fc933f3bad66) --- STATUS | 2 -- WHATSNEW.txt | 14 ++++++++++---- source4/VERSION | 2 +- 3 files changed, 11 insertions(+), 7 deletions(-) delete mode 100644 STATUS diff --git a/STATUS b/STATUS deleted file mode 100644 index 3e72ef6885..0000000000 --- a/STATUS +++ /dev/null @@ -1,2 +0,0 @@ -This file documents the features that are known to work or known to -still need work in the current version of Samba 4. diff --git a/WHATSNEW.txt b/WHATSNEW.txt index a392f0a234..c4b8a04704 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -101,7 +101,7 @@ since that release series in the NEWS file. KNOWN ISSUES ============ -- Domain member support is in it's infancy, and is not comprable to +- Domain member support is in it's infancy, and is not comparable to the support found in Samba3. - There is no printing support in the current release. @@ -114,6 +114,10 @@ KNOWN ISSUES - The Samba4 port of the CTDB clustering support is not yet complete +- Clock Synchronisation is critical. Many 'wrong password' errors are + actually due to Kerberos objecting to a clock skew between client + and server. + RUNNING Samba4 ============== @@ -122,9 +126,11 @@ in root of the tarball. DEVELOPMENT and FEEDBACK ======================== -Bugs can be filed at https://bugzilla.samba.org/. Please -look at the STATUS file before filing a bug to see if a particular -is supposed to work yet. +Bugs can be filed at https://bugzilla.samba.org/ but please be aware +that many features are simply not expected to work at this stage. + +The Samba Wiki at http://wiki.samba.org should detail some of these +development plans. Development and general discussion about Samba 4 happens mainly on the #samba-technical IRC channel (on irc.freenode.net) and diff --git a/source4/VERSION b/source4/VERSION index d0f02a62f5..7441b7421b 100644 --- a/source4/VERSION +++ b/source4/VERSION @@ -89,7 +89,7 @@ SAMBA_VERSION_RC_RELEASE= # e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes # # -> "3.0.0-SVN-build-199" # ######################################################## -SAMBA_VERSION_IS_SVN_SNAPSHOT=yes +SAMBA_VERSION_IS_SVN_SNAPSHOT=no ######################################################## # This is for specifying a release nickname # -- cgit