s4:samldb - Major rework

This fixes up the change of the primary group of a user when using the ADUC
console:
- When the "primaryGroupId" attribute changes, we have to delete the
  "member"/"memberOf" attribute reference of the new primary group and add one
  for the old primary group.
- Deny deletion of primary groups according to Windows Server (so we cannot
  have invalid "primaryGroupID" attributes in our AD).
- We cannot add a primary group directly before it isn't a secondary one of a
  user account.
- We cannot add a secondary reference ("member" attribute) when the group has
  been chosen as primary one.

This also removes the LDB templates which are basically overhead now.

This should also fix bug #6599.

source4/scripting/python/samba/provision.py

@@ -317,7 +317,6 @@ def provision_paths_from_lp(lp, dnsdomain):
     paths.samdb = os.path.join(paths.private_dir, lp.get("sam database") or "samdb.ldb")
     paths.idmapdb = os.path.join(paths.private_dir, lp.get("idmap database") or "idmap.ldb")
     paths.secrets = os.path.join(paths.private_dir, lp.get("secrets database") or "secrets.ldb")
-    paths.templates = os.path.join(paths.private_dir, "templates.ldb")
     paths.dns = os.path.join(paths.private_dir, dnsdomain + ".zone")
     paths.namedconf = os.path.join(paths.private_dir, "named.conf")
     paths.namedtxt = os.path.join(paths.private_dir, "named.txt")
@@ -712,33 +711,6 @@ def setup_secretsdb(path, setup_path, session_info, credentials, lp):
 
     return secrets_ldb
 
-
-def setup_templatesdb(path, setup_path, session_info, lp):
-    """Setup the templates database.
-
-    :param path: Path to the database.
-    :param setup_path: Function for obtaining the path to setup files.
-    :param session_info: Session info
-    :param credentials: Credentials
-    :param lp: Loadparm context
-    """
-    templates_ldb = Ldb(url=path, session_info=session_info,
-                        lp=lp)
-    # Wipes the database
-    try:
-        templates_ldb.erase()
-    # This should be 'except LdbError', but on a re-provision the assert in ldb.erase fires, and we need to catch that too
-    except:
-        os.unlink(path)
-
-    templates_ldb.load_ldif_file_add(setup_path("provision_templates_init.ldif"))
-
-    templates_ldb = Ldb(url=path, session_info=session_info,
-                        lp=lp)
-
-    templates_ldb.load_ldif_file_add(setup_path("provision_templates.ldif"))
-
-
 def setup_registry(path, setup_path, session_info, lp):
     """Setup the registry.
     
@@ -1152,10 +1124,6 @@ def provision(setup_dir, message, session_info,
     setup_registry(paths.hklm, setup_path, session_info, 
                    lp=lp)
 
-    message("Setting up templates db")
-    setup_templatesdb(paths.templates, setup_path, session_info=session_info, 
-                      lp=lp)
-
     message("Setting up idmap db")
     idmap = setup_idmapdb(paths.idmapdb, setup_path, session_info=session_info,
                           lp=lp)

source4/setup/provision_templates.ldif

@@ -1,43 +0,0 @@
-###
-# Templates to be put in templates.ldb.  Not part of main samdb any more.
-###
-
-dn: CN=Templates
-objectClass: top
-objectClass: container
-description: Container for SAM account templates
-
-dn: CN=TemplateUser,CN=Templates
-userAccountControl: 546
-badPwdCount: 0
-codePage: 0
-countryCode: 0
-badPasswordTime: 0
-lastLogoff: 0
-lastLogon: 0
-pwdLastSet: 0
-primaryGroupID: 513
-accountExpires: 9223372036854775807
-logonCount: 0
-
-dn: CN=TemplateTrustingDomain,CN=Templates
-userAccountControl: 2080
-badPwdCount: 0
-codePage: 0
-countryCode: 0
-badPasswordTime: 0
-lastLogoff: 0
-lastLogon: 0
-primaryGroupID: 513
-accountExpires: 9223372036854775807
-logonCount: 0
-
-dn: CN=TemplateGroup,CN=Templates
-groupType: -2147483646
-
-dn: CN=TemplateForeignSecurityPrincipal,CN=Templates
-
-dn: CN=TemplateSecret,CN=Templates
-
-dn: CN=TemplateTrustedDomain,CN=Templates
-

source4/setup/provision_templates_init.ldif

@@ -1,10 +0,0 @@
-dn: @OPTIONS
-checkBaseOnSearch: TRUE
-
-dn: @INDEXLIST
-@IDXATTR: cn
-
-dn: @ATTRIBUTES
-cn: CASE_INSENSITIVE
-dn: CASE_INSENSITIVE
-