IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This takes advantage of the fact that a single LDB operation is atomic
even inside our transaction and so we can retry it after updating the
schema.
This makes the smaba-tool domain schemaupgrade take 1m30s compared with 4m4s.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Dec 21 08:28:51 CET 2017 on sn-devel-144
Currently we support the 2012 and 2012 R2 prep levels.
Forest prep requires use of the schema master role.
Domain prep requires use of the infrastructure master role.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
While this may be enforced at lower levels, it would be better to warn
earlier rather than later.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Changes to provision and join to create a database with
encrypted_secrets enabled and a key file generated.
Also adds the --plaintext-secrets option to join and provision commands
to allow the creation of unencrypted databases.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We also reduce the scope of the import so that python-markdown is only
required if interacting with 2012 code.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Dec 14 12:34:04 CET 2017 on sn-devel-144
This fixes us to have the official adminDescription etc. While both schema were provided by
Microsoft this is a better quality one, but still under the same licence.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This creates a temporary directory where the markdown is parsed and the
diffs are then applied.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Allow a different base-schema to be used when provisioning a new domain.
This allows us to test the new 2012 schema without committing Samba to
using it by default.
If, in future, we change the default to use the 2012 schema, some
existing Samba tests (like upgradeprovision) rely on the 2012 schema.
So making the base-schema optional allows these tests to continue using
the older schema.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We've identified some cases where we've gotten our implementation of the
2008R2 schema wrong. We can fix these up for new provisions going
forward, but it'd be nice to have some way of fixing up the schema on
existing DCs.
A lot of what we're missing is already documented in Microsoft's
Sch45.ldf file:
https://technet.microsoft.com/en-us/library/dd378890(v=ws.10).aspx
Unfortunately we can't just apply the Sch45.ldf file using the existing
'samba-tool domain schema-upgrade' option because:
- We have got some of the Sch45.ldf changes, just not all of them.
- We already say the Samba schema objectVersion is 47 (2008R2), so
there's no way to tell if the Samba instance does or doesn't have the
missing changes (apart from querying each change).
We may want to add this to dbcheck eventually, but the simplest
implementation option for now is to extend the new schemaupgrade command
to allow us to specify a particular .LDF file to apply.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Currently the 'samba-tool domain schemaupgrade' command will only work
if the Samba config has the non-default option 'dsdb:schema update
allowed = yes'. The whole point of running this samba-tool option is to
upgrade the schema, so it would seem to make sense to bypass the setting
temporarily, in order to apply the schema updates successfully.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Microsoft has published the Schema updates that its Adprep.exe tool
applies when it upgrades a 2008R2 schema to 2012R2.
This patch adds an option to samba-tool to go through these update files
and apply each change one by one. Along the way we need to make a few
changes to the LDIF operations, e.g. change 'ntdsschemaadd' to 'add' and
so on.
The bulk of the changes involve parsing the .ldif file and separating
out each update into a separate operation.
There are a couple of errors that we've chosen to ignore:
- Trying to set isDefunct for an object we don't know about.
- Trying to set a value for an attribute OID that we don't know about
(we may need to fix this in future, but it'll require some help from
Microsoft about what the OIDs actually are).
To try to make life easier, I've added a ldif_schema_update helper
class. This provides convenient access of the DN the change applies to
and other such details (whether it's setting isDefunct, etc).
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Checks password against default quality and length standards when it is entered,
allowing a second chance to enter one (if interactive), rather than running
through the provisioning process and bailing on an exception
Includes unit tests for the newly-added python wrapper of check_password_quality
plus black-box tests for the checks in samba-tool.
Breaks an openldap test which uses an invalid password.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9710
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12235
Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Because these options are optional based on build-time rules, we need to encode the
default value from the additonal Option() blocks in the run() declaration.
Then we can correctly check only for the expected options, and not inconsistently for
None (causing classicupgrade to fail).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12543
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
The only reasonable use --use-xattrs=no should be used is in selftest,
and there is no need for that or --use-xattrs=auto without
--use-ntvfs, all systems we support in production for the AD DC have
xattrs, as using smbd needs posix ACLs.
This also removes the option entirely if NTVFS support is omitted from
the build.
I would prefer to get rid of the option, but currently selftest relies
on the default of --use-xattrs=auto, and we first should get rid of
that auto-detection, which will then mean we need --use-xattrs=no
specified wherever we specify --use-ntvfs.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Tue Sep 6 04:21:42 CEST 2016 on sn-devel-144
This allows us to carefully test the garbage collection of tombstoned objects
without running the full server and waiting for the timer to expire
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
The netcmd/domain.py module uses os.popen() on user-supplied
parameters. This opens up the way to code injection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11601
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Mon Nov 23 22:19:34 CET 2015 on sn-devel-104
This would help remove a DC that is a conflict record, for example
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This is done primarilly to set the pattern that we should manipulate ldb.Dn values
with the helper routines, not just by concatonation via format strings.
We also restrict our exception hadling to only the expected errors, not
all errors.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
On an RODC the local database cannot be modified, and the flags to remove
are different, we need instead to remove UF_PARTIAL_SECRETS_ACCOUNT.
If we are in a subdomain, then db.get_root_basedn() points to the
forest root, not the root of our domain
If the removeDsServer() fails with WERR_DS_DRA_NO_REPLICA
this may be reasonably considered to be success in this case.
Finally, the remove_dc.remove_sysvol_references() is reused
for objects not under the computer account.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
domain demote
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
The new version of this tool now can remove another DC that is
itself offline. The --remove-other-dead-server removes
as many references to the DC as possible.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
We now only build it by default with --enable-sefltest, or otherwise
if requested.
The NTVFS file server still has features not present in the smbd file
server, such as a CIFS/SMB proxy, and a radically different design,
but it is also not undergoing any ongoing development so this keeps it
in a safe state for care and maintaince, with less of a security risk
if such an issue were to come up.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
"it's" is reserved for the contraction of "it is".
This *is* somewhat illogical, which is how you know its proper
English.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Available subcommands:
create - Create a domain or forest trust.
delete - Delete a domain trust.
list - List domain trusts.
namespaces - Manage forest trust namespaces.
show - Show trusted domain details.
validate - Validate a domain trust.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-Off-By: Daniel Cotton <danielcotton.patches at gmail.com>
Reviewed-By: Michael Adam <obnox@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Tue Dec 2 01:18:53 CET 2014 on sn-devel-104
Windows 2003 is going out of support shortly, and we want users to have AES by default
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
