IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This simple script allows raising the domain and/or forest level for s4.
I integrated also the basic checks (since we don't perform them in LDB yet):
e.g. the forest level can't be higher than the domain level(s).
- The DC level we keep on Windows Server 2008 R2 (we should call ourself
always the newest server type)
- The domain/forest level we set to the minimum (Windows 2000 native) to
allow all AD DC types (from Windows 2000 on) in our domain - the NT4 "mixed"
mode isn't supported by us (discussed on mailing list) -> "nTMixedDomain" is
set always to 0
- I'll add a script which allows to bump the DC level (basically sets the
"msDS-Behaviour-Version" attributes on the "Partitions/Configuration/DC" and
on the "DC" object)
- Fix up "servicePrincipalNames" attributes on the DC object
- Add some informative comments (most in "provision_self_join.ldif")
- Add also comments where objects are missing which we may add later when we
support the feature (mainly for FRS)
- Add "domain updates" objects also under "CN=Configuration" (they exist twice)
- Add the default services under "Services" to allow interoperability with some
MS client tools
- Smaller changes
- Add/change "wellKnownObjects" attributes
- Order entries in "provision_basedn_modify.ldif"
- Add/change "delete entries" object under BASEDN and CONFIGDN
- Fix default version number of "Default domain policy" group policy
- Add "domain updates" objects for interoperability with MS AD maintaining tools
- Show version number in the "oEMInformation" attribute (suggested by ekacnet)
- Smaller fixups
This patches fixes the last difference between s4 and Windows Server regarding
group policy objects: we hadn't the domain controller policy.
- Adds the domain controller policy as it is found in the "original" AD
- Adds also the right version number in the GPT.INI file for the domain group
policy (was missing)
The DNS entries and SPNs are needed for samba<->samba DRS
replication. This patch adds them for a standalone DC configure. A
separate patch will add them for the vampire configure
This fixes the issue with the original files that they didn't have a
leading # in front of the comments, which caused our parsing scripts
much pain. The files are now exactly as delivered.
Andrew Bartlett
The added tests include basic validation that the script runs and accepts all
custom arguments. The tests also verify changes to the password complexity,
minimum password length, and minimum password length settings.
Validate that each field is within its allowed range. Also validate that the
maximum password age is greater than the minimum password length (if the maximum
password age is set).
I could not find these values documented anywhere in the WSPP docs. I used the
values shown in the W2K8 GPMC, as it appears that the GPMC actuaally performs
the validation of values.
If we cannot retrieve the value, do not assume a particular value. The fact
that we could not retrieve the value indicates a larger problem that we don't
want to make worse bypossibly clearing bit fields in the pwdProperties
attribute.
This ensures that all changes are made, or none are made. It also makes it
possible to do validation as we go and abort in case of an error, while always
leaving things in a consistent state.
1. During instance creation the provisioning script will import the SASL
mapping for samba-admin. It's done here due to missing config schema
preventing adding the mapping via ldapi.
2. After that it will use ldif2db to import the cn=samba-admin user as
the target of SASL mapping.
3. Then it will start FDS and continue to do provisioning using the
Directory Manager with simple bind.
4. The SASL credentials will be stored in secrets.ldb, so when Samba
server runs later it will use the SASL credentials.
5. After the provisioning is done (just before stopping the slapd)
it will use the DM over direct ldapi to delete the default SASL
mappings included automatically by FDS, leaving just the new
samba-admin mapping.
6. Also before stopping slapd it will use the DM over direct ldapi to
set the ACL on the root entries of the user, configuration, and
schema partitions. The ACL will give samba-admin the full access
to these partitions.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
The tick conversion math was off by a factor of 10 due to the incorrect usage of
the "e" notation. The expression "XeY" means "X * (10^Y)", so the correct
expression is 1e7 to get the correct adjustment for ticks.
I fixed them up to match with Windows Server 2003. I don't think that the
creation of them in the provision script is needed so I put them in the
"provision_users.ldif" file.
This fixes up the change of the primary group of a user when using the ADUC
console:
- When the "primaryGroupId" attribute changes, we have to delete the
"member"/"memberOf" attribute reference of the new primary group and add one
for the old primary group.
- Deny deletion of primary groups according to Windows Server (so we cannot
have invalid "primaryGroupID" attributes in our AD).
- We cannot add a primary group directly before it isn't a secondary one of a
user account.
- We cannot add a secondary reference ("member" attribute) when the group has
been chosen as primary one.
This also removes the LDB templates which are basically overhead now.
This should also fix bug #6599.
The original license headers provided by Microsoft cannot be parsed as valid
LDIF.
Changed the license headers to be valid LDIF comments, and added a new header
section detailing the exact changes that were made to the original document.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Like the schema, these are provided under the licence at the head of
the file, which is not the GPL, but allows us to distribute them with
Samba.
Andrew Bartlett
The previous patches to the provision system cut down on the number of
reconnects, and disabled the partition handling for part of the
process. This means we lost the setting of @OPTIONS as a replicated
attribute into the partitions.
Andrew Bartlett
This allows us to test out the code that will do the modify of the
prefixMap, and to provide the bindings that may assist a future
upgrade script.
Andrew Bartlett
This removes a *lot* of duplicated code and the cause of much
administrator frustration. We now handle starting and stopping the
slapd (at least for the provision), and ensure that there is only one
'right' way to configure the OpenLDAP and Fedora DS backend
We now run OpenLDAP in 'cn=config' mode for online configuration.
To test what was the provision-backend code, a new --ldap-dryrun-mode
option has been added to provision. It quits the provision just
before it would start the LDAP binaries
Andrew Bartlett
We now set these as part of the schema load, and we now load the
schema before the provision loads the DB, so setting them here is
pointless
Andrew Bartlett
This fixes the problem with the setting and getting of the "minPwdAge" and
"maxPwdAge" attributes. I wanted to handle them in days but forgot to add
conversions (from "ticks" (tenth of microsecond) -> "days" and backwards).
This commit includes:
- Additional static object data in SAMBA 4's AD to start supporting of
- forest updates, - lost and found, - quotas on DS, - physical locations,
- licensing of sites, - subnets, - policies for WMI, - DNS entries in AD
- Reordering of provision*.ldif files to be able to find entries and make future
additions easier
- Add comments in provision*.ldif files to point out where subentries are located
when they are based in other LDIFs
- Removations of autogenerated "cn" attributes
As the version of OpenLDAP required for Samba4 is fairly new, we don't
want to make it a requirement before this python code is run in 'make
test'.
As such, skip over the actual starting of slapd, but check the rest
runs alright (which still validates syntax and other modules).
Andrew Bartlett
heres the summary of all changes/extensions:
- Andrew Bartlett's patch to generate indext
- Howard Chu's idea to use nosync on the DB included, but made optional
- slaptest-path is not needed any more (slapd -Ttest is used instead)
and is therefore removed. slapd-path is now recommended when
openldap-backend is chosen.
its also used for olc-conversion
- slapd-detection is now always done by ldapsearch (ldb module),
looking anonymous for objectClass: OpenLDAProotDSE via our ldapi_uri.
- if ldapsearch was not successfull, (no slapd listening on our socket)
slapd is
started via special generated slapdcommand_prov (ldapi_uri only)
- slapd-"provision-process" startup is done via pythons subprocess.
- the slapd-provision-pid is stored under paths.ldapdir/slapd_provision_pid.
- after provision-backend is finished:
--- slapd.pid is compared with our stored slapd_provision_pid.
if the are unique, slapd.pid will be read out, and the
slapd "provison"-process will be shut down.
--- proper slapd-shutdown is verified again with ldb-search -> ldapi_uri
-> rootDSE.
--- if the pids are different or one of the pid-files is missing, slapd
will not be shut down,
instead an error message is displayed to locate slapd manually
--- extended help-messages (relevant to slapd) are always displayed,
e.g. the commandline with which slapd has to be started when everythings
finished
(slapd-commandline is stored under paths.ldapdir/slapd_command_file.txt))
- upgraded the content of the mini-howto (howto-ol-backend-s4.txt)
