IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The previous patches to the provision system cut down on the number of
reconnects, and disabled the partition handling for part of the
process. This means we lost the setting of @OPTIONS as a replicated
attribute into the partitions.
Andrew Bartlett
This allows us to test out the code that will do the modify of the
prefixMap, and to provide the bindings that may assist a future
upgrade script.
Andrew Bartlett
Andrew, can you please check this? The idmap.setup_name_mapping tests
look totally out of place here. I'm also not sure I captured your
intention with the other changes
The Samba4 schema code (called via
samdb.set_schema_from_ldb(schema.ldb)) manages the @ATTRIBUTES and
@INDEXLIST records, so don't wipe them early. The chances are that we
will not change them anyway.
Andrew Bartlett
Using a single transaction to both erase the bulk of the data and the
rebuild of that data means that the in-memory index list is
maintained, and not written out to disk until it is all compleated.
All the writes then occour at the end.
Andrew Bartlett
This removes a *lot* of duplicated code and the cause of much
administrator frustration. We now handle starting and stopping the
slapd (at least for the provision), and ensure that there is only one
'right' way to configure the OpenLDAP and Fedora DS backend
We now run OpenLDAP in 'cn=config' mode for online configuration.
To test what was the provision-backend code, a new --ldap-dryrun-mode
option has been added to provision. It quits the provision just
before it would start the LDAP binaries
Andrew Bartlett
As the version of OpenLDAP required for Samba4 is fairly new, we don't
want to make it a requirement before this python code is run in 'make
test'.
As such, skip over the actual starting of slapd, but check the rest
runs alright (which still validates syntax and other modules).
Andrew Bartlett
heres the summary of all changes/extensions:
- Andrew Bartlett's patch to generate indext
- Howard Chu's idea to use nosync on the DB included, but made optional
- slaptest-path is not needed any more (slapd -Ttest is used instead)
and is therefore removed. slapd-path is now recommended when
openldap-backend is chosen.
its also used for olc-conversion
- slapd-detection is now always done by ldapsearch (ldb module),
looking anonymous for objectClass: OpenLDAProotDSE via our ldapi_uri.
- if ldapsearch was not successfull, (no slapd listening on our socket)
slapd is
started via special generated slapdcommand_prov (ldapi_uri only)
- slapd-"provision-process" startup is done via pythons subprocess.
- the slapd-provision-pid is stored under paths.ldapdir/slapd_provision_pid.
- after provision-backend is finished:
--- slapd.pid is compared with our stored slapd_provision_pid.
if the are unique, slapd.pid will be read out, and the
slapd "provison"-process will be shut down.
--- proper slapd-shutdown is verified again with ldb-search -> ldapi_uri
-> rootDSE.
--- if the pids are different or one of the pid-files is missing, slapd
will not be shut down,
instead an error message is displayed to locate slapd manually
--- extended help-messages (relevant to slapd) are always displayed,
e.g. the commandline with which slapd has to be started when everythings
finished
(slapd-commandline is stored under paths.ldapdir/slapd_command_file.txt))
- upgraded the content of the mini-howto (howto-ol-backend-s4.txt)
Rather than have the functional levels scattered in 4 different,
unconnected locations, the provision script now sets it, and the
rootdse module maintains it's copy only as a cached view onto the
original values.
We also use the functional level to determine if we should store AES
Kerberos keys.
Andrew Bartlett
This removes a level of indirection via external binaries in the
provision-backend code, and also makes better use of our internal code
for loading schema from an LDIF file.
Remaining to do: Sort the output again, as the load from LDIF is
unsorted (also needed because the normal LDB load from sorted input is too slow
anyway, and is only needed here).
Andrew Bartlett
For example, if we don't create the admin user (perhaps expecting
users to be in LDAP already, or we are due an incoming replication) we
should not confuse the administrator by printing a unused password.
Andrew Bartlett
Here's a first attempt at moving the minschema_wspp code into a
library as Andrew requested. Since this script no longer has to
generate CN=aggregate, I've simplified it quite a bit to a level where
it almost does a line-by-line translation. This is faster and simpler,
but it may not catch as many errors in the ad-schema files as the
previous versions did.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
- removed workaround for olcSyncprovConfig - creation (works perfect now
with 2.4.15, release was today)
- added 1 message-helpline, which is displayed when running
provision-backend with olc and/or mmr setup
- corrected 1 wrong slapcommand-helpline
- slapd.conf is removed now in case of olc-setup
- added 1 copyright-line to provision.py and provision-backend
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
These extensions add mmr (multi-master-replication) and olc
(openldap-online-configuration) capabilities to the
provisioning-scripts (provision-backend and provision.py), for use
with the openldap-backend (only versions >=2.4.15!).
Changes / additions made to the provision-backend -script:
added new command-line-options:
--ol-mmr-urls=<list of whitespace separated ldap-urls> for use with mmr
(can be combined with --ol-olc=yes),
--ol-olc=[yes/no] (activate automatic conversion from static slapd.conf
to olc),
--ol-slaptest=<path to slaptest binary> (needed in conjunction with
--ol-olc=yes)
Changes / additions made to the provision.py -script: added
extensions, that will automatically generate the chosen mmr and/or olc
setup for the openldap backend, according to the to chosen parameters
set in the provision-backend script
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
We need to avoid handling DN+Binary and DN+String with the refint
module for now, as this is a currently unsupported syntax.
Also rename entryTTL to avoid a conflict with the operational
attribute of the same name.
Andrew Bartlett
We didn't handle the mode where we can't load the main sam.ldb due to
the modules being 'wrong', and when we did remove the file, we didn't
wipe the partitions.
This just changes the existing stratagy of loading different modules
for the OpenLDAP backend to also include extended_dn_out_*
When we provision the OpenLDAP backend, we make sure to include the
'deref' overlay (which must be made available by the OpenLDAP build)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
By splitting the module, the extended_dn_in and extended_dn_store
moudles can use extended_dn_out to actually get the extended DN. This
avoids code duplication.
The extended_dn_out module also contains a client implementation of
the OpenLDAP dereference control (draft-masarati-ldap-deref-00).
This also introduces a new control
'DSDB_CONTROL_DN_STORAGE_FORMAT_OID' to ask the extended_dn_out module
to return whatever the 'storage format' is. This allows us to work
with both OpenLDAP (which performs a dereference at run time) and LDB
(which stores the GUID and SID on disk).
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This makes it operate in all partitions (minor), but more importantly
places it above some other modules that implement some extra schema
checks. (The linked_attributes module objects to unknown attributes,
which inclues clearTextPassword, which we need internally but is not
in the schema).
Andrew Bartlett
In the future, we might simply randomly generate this, or allow the
admin to specify it seperate to the admin password. However, both are
highly sensitive, as they imply read access to the krbtgt.
Andrew Bartlett
(This used to be commit 57d19ad002)
This avoids passing rootdn passwords or replicated data in cleartext
across the network.
Signed-of-by: Andrew Bartlett <abartlet@samba.org>
(This used to be commit 67373c143a)
<oliver@itc.li>
This changes the RIDs to be <serverID><DBID>, to ease later debugging.
The need to specify the port on the MMR URLs is now included in the
help.
Andrew Bartlett
(This used to be commit a5cbe8c09c)
This changes the MMR password from hard-coded value of 'linux',
adds tests and fixes the Fedora DS backend.
Currently the MMR password matches the admin password, but we can
change this to be another random value if required.
Also require the port to be specified on the command line, so we don't
hard-code a port of 9000.
Andrew Bartlett
(This used to be commit 08257c6d6c)
This patches provision-backend and the related scripts to generate the
correct configuration blobs for N-way multi-master replication using
OpenLDAP.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(This used to be commit 6ed0b3f247)
- fixes bug #4813 (simplify DNS setup)
- This reworks the named.conf to be a fully fledged include
- This also moves the documentation into named.txt
- improves bug #4900 (Group policy support in Samba)
- by creating an empty GPT.INI
- fixes bug #5582 (DNS: Enhanced zone file)
- This is now closer to the zone file AD creates
committed by Andrew Bartlett
(This used to be commit 74d684f6b3)
This reworks our LDAP backend code to move from anonymous access to a
shared-secret SASL-protected connection. (SASL selects NTLM or
DIGEST-MD5 on my system).
To get this working, we must pre-populate the LDAP backend with a DN
to store ths SASL secret on, and we use back-ldif for this.
This gives us a reasonable basis to deploy a replicated OpenLDAP
backend solution.
Andrew Bartlett
(This used to be commit cd0745253c)
This fixes up the provision to operate with a target directory - it
must override the smb.conf in this case.
Andrew Bartlett
(This used to be commit 89fc39f7ed)
Added code to the python provisioning to create the named.conf file that was
previously generated by the EJS provisioning.
Updated the named.conf template to provide the additional details necessary
to get things working.
(This used to be commit 0b7a6bfcba)
When the user has an existing smb.conf, but no [netlogon] or [sysvol]
share, the provision script would trigger a traceback. While we still
need to abort in this situation, we do so now with a useful error.
Andrew Bartlett
(This used to be commit 10a8b7ea48)
Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into 4-0-abartlet
Conflicts:
source/torture/local/torture.c
(This used to be commit 5bf1c89cf8)
This option allows Fedora DS multi-master replication to work. I've
tried to update the wiki and scripts to the largely consistant with
each other.
Andrew Bartlett
(This used to be commit 42393c8307)
In particular, allow for the server DN to be in a different site
(possible outcome of a DRS replication).
Andrew Bartlett
(This used to be commit 9ee4e39fe1)
In particular, this should draw attention to accidential 'standalone'
server provisions and therefore cause less frustration.
Andrew Bartlett
(This used to be commit e906ae041a)
This reworks quite a few parts of our provision system to use
CN=NETBIOSNAME as the domain for member servers.
This makes it clear that these domains are not in the DNS structure,
while complying with our own schema (found by OpenLDAP's schema
validation).
Andrew Bartlett
(This used to be commit bda6a38b05)
This should allow us to provision onto an OpenLDAP backend again.
Also ensure we always have a sysvol and netlogon share in the selftest
environment.
Andrew Bartlett
(This used to be commit b2d9b03ba3)
This required a large rework of the provision code, so as to move much
of the 'guess' logic into subprocedures, rather than just inline in
the provision code.
Andrew Bartlett
(This used to be commit a0754c2a85)
This fixes up some issues with testdir (was not honoured) and
increases test coverage.
We now check all the major provision modes. In doing so, to make it
possible to call from the multiple layers of 'sh', I have allowed 'dc'
to alias 'domain controller' and 'member' to alias 'member server'.
Fighting shell quoting in the test system was just too hard...
Also fix upgrade.py
Andrew Bartlett
(This used to be commit 0923de1228)
This is the start of the rework of the provision script to handle an
LDAP backend correctly. For example, we must not set the 'tdb
modules' against an LDAP backend such as OpenLDAP that handles subtree
renames.
Andrew Bartlett
(This used to be commit e462a107d3)
To make Samba4, using the python provision system, pass this test
required some major rework. Untested code is broken code, and some of
the refactoring for a seperate provision test (which also now passes)
broke things.
Similarly, the iconv work has compiled, but these codepaths have never
been run (NULL pointer de-reference).
In working to use a local, rather than global, loadparm context, and
to support using a target directory, a few things needed to be
reworked, particularly around path handling.
Andrew Bartlett
(This used to be commit 1169e8d7be)
Somewhere in the conversion from ejs we lost calling the 'delete
partitions' code. However, we have to be careful not to wipe
partitions when we are the second client connecting to an LDAP server.
Andrew Bartlett
(This used to be commit 272eb765b8)
Can't add "member server" because the script aborts with null
reference when no match on serverrole. This is fixed by checking for
the keyword "member server".
(This used to be commit 62536750ae)
with Jelmer today.
The only remaining issue is that for the build farm, we will need to
manually specify the users and groups from the NSS_WRAPPPER, as python
isn't compiled with this.
Andrew Bartlett
(This used to be commit 5370484d25)
Added blackbox tests for provision and upgrade Python scripts.
Clean up temporary files created by the Python tests.
(This used to be commit 2227fb6df6)
- Start working on Python equivalents for various EJS tests.
- Fix regression in argument order for reg_diff_apply() in EJS bindings.
(This used to be commit c550c03372)
