1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

464 Commits

Author SHA1 Message Date
Andrew Bartlett
1a97bd915d s4:provision Ensure that @OPTIONS is mirrored into each partition
The previous patches to the provision system cut down on the number of
reconnects, and disabled the partition handling for part of the
process.  This means we lost the setting of @OPTIONS as a replicated
attribute into the partitions.

Andrew Bartlett
2009-08-26 17:37:01 +10:00
Andrew Bartlett
a1da91174b s4:provison Add prefixes to ldb using same code a later modify will use
This allows us to test out the code that will do the modify of the
prefixMap, and to provide the bindings that may assist a future
upgrade script.

Andrew Bartlett
2009-08-26 13:49:10 +10:00
Andrew Bartlett
b9ec6bb1eb s4:provision Only create references to our server DN after the self join
This will ensure that the GUID can be filled in correctly, and assist
us to validate DN targets in the future.

Andrew Bartlett
2009-08-26 13:48:35 +10:00
Andrew Tridgell
e38f38fe48 we need the Deleted Objects container for replication
When objects are deleted they get renamed to this container. The
container needs to exist when we provision
2009-08-19 15:51:07 +10:00
Matthias Dieter Wallnöfer
0a5ea25d21 s4:python tools - Centralise the lookups for the default domain (root) in the call "domain_dn" from SamDB 2009-08-17 11:58:39 +02:00
Andrew Bartlett
e7bae2eb0a s4: Re-add --ldapadminpass as an option to provision
This should make setting up LDAP servers more predictable.

When not specified, it is random

Andrew Bartlett
2009-08-17 09:51:00 +10:00
Endi Sukma Dewata
a6c9233a12 s4:provision Fixes for Fedora DS schema mapping with full AD schema 2009-08-17 09:50:59 +10:00
Andrew Bartlett
f87811f6b3 s4:provision Rework provision-backend into provision
This removes a *lot* of duplicated code and the cause of much
administrator frustration.  We now handle starting and stopping the
slapd (at least for the provision), and ensure that there is only one
'right' way to configure the OpenLDAP and Fedora DS backend

We now run OpenLDAP in 'cn=config' mode for online configuration.

To test what was the provision-backend code, a new --ldap-dryrun-mode
option has been added to provision.  It quits the provision just
before it would start the LDAP binaries

Andrew Bartlett
2009-08-17 09:50:58 +10:00
Andrew Bartlett
a58b4f8cc2 s4:setup Don't manually set @ATTRIBUTES any more
We now set these as part of the schema load, and we now load the
schema before the provision loads the DB, so setting them here is
pointless

Andrew Bartlett
2009-08-17 09:50:57 +10:00
Andrew Bartlett
e1e99a7c7b s4:provision Remove the ACI element from the provision templates
We need to find a better way to apply this (used in the Fedora DS LDAP
backend), not by trying to tunnel this down the module stack.

Andrew Bartlett
2009-08-17 09:50:56 +10:00
Matthias Dieter Wallnöfer
639c9ccb93 s4: Correct the parameter logic of the "setpassword" script
Either the username or the filter are allowed. If both are given the filter is
going to be used due to a higher precedence.
2009-08-14 00:14:15 +02:00
Matthias Dieter Wallnöfer
fe767d4b70 s4:pwsettings script - Fix a small glitch
This fixes the problem with the setting and getting of the "minPwdAge" and
"maxPwdAge" attributes. I wanted to handle them in days but forgot to add
conversions (from "ticks" (tenth of microsecond) -> "days" and backwards).
2009-08-11 12:59:15 +02:00
Matthias Dieter Wallnöfer
c73984a5c9 s4:AD LDIFs - More refactoring
This commit includes:
- Additional static object data in SAMBA 4's AD to start supporting of
  - forest updates, - lost and found, - quotas on DS, - physical locations,
  - licensing of sites, - subnets, - policies for WMI, - DNS entries in AD
- Reordering of provision*.ldif files to be able to find entries and make future
  additions easier
- Add comments in provision*.ldif files to point out where subentries are located
  when they are based in other LDIFs
- Removations of autogenerated "cn" attributes
2009-08-11 12:59:13 +02:00
Andrew Bartlett
7bc566a882 s4:provision Allow provision-backend to not run slapd for 'make test'
As the version of OpenLDAP required for Samba4 is fairly new, we don't
want to make it a requirement before this python code is run in 'make
test'.

As such, skip over the actual starting of slapd, but check the rest
runs alright (which still validates syntax and other modules).

Andrew Bartlett
2009-08-12 11:09:50 +10:00
Andrew Bartlett
6dc41bf27c s4:provision Make the --ol-slapd paramter take the full path to slapd 2009-08-12 10:01:48 +10:00
Andrew Bartlett
f0decfe5c2 s4:provision Assume the OpenLDAP backend can find it's own modules 2009-08-12 10:01:48 +10:00
Oliver Liebel
28bcdf5266 s4:provision Rework and further automate setup of OpenLDAP backend
heres the summary of all changes/extensions:

- Andrew Bartlett's patch to generate indext
- Howard Chu's idea to use nosync on the DB included, but made optional

- slaptest-path is not needed any more (slapd -Ttest is used instead)
and is therefore removed. slapd-path is now recommended when
openldap-backend is chosen.
its also used for olc-conversion

- slapd-detection is now always done by ldapsearch (ldb module),
looking anonymous for objectClass: OpenLDAProotDSE via our ldapi_uri.

- if ldapsearch was not successfull, (no slapd listening on our socket)
slapd is
started via special generated slapdcommand_prov  (ldapi_uri only)

- slapd-"provision-process" startup is done via pythons subprocess.

- the slapd-provision-pid is stored under paths.ldapdir/slapd_provision_pid.

- after provision-backend is finished:
--- slapd.pid is compared with our stored slapd_provision_pid.
if the are unique, slapd.pid will be read out, and the
slapd "provison"-process will be shut down.
--- proper slapd-shutdown is verified again with ldb-search -> ldapi_uri
-> rootDSE.
--- if the pids are different or one of the pid-files is missing, slapd
will not be shut down,
instead an error message is displayed to locate slapd manually
--- extended help-messages (relevant to slapd) are always displayed,
e.g. the commandline with which slapd has to be started when everythings
finished
(slapd-commandline is stored under paths.ldapdir/slapd_command_file.txt))

- upgraded the content of the mini-howto (howto-ol-backend-s4.txt)
2009-08-12 10:01:48 +10:00
Matthias Dieter Wallnöfer
aa6dc21fa3 s4: Add a new script for setting password properties for a domain in a easier way 2009-08-07 17:21:58 +02:00
Oliver Liebel
11ff224e13 s4:setup Remove extra newlines that break OpenLDAP backend 2009-08-07 12:38:51 +10:00
Matthias Dieter Wallnöfer
1ce36ed747 s4:enableaccount script: Remove a redundant line 2009-08-06 12:34:56 +02:00
Andrew Bartlett
56f4516399 s4:kdc Push context to hdb_samba4 by way of the 'name' of the DB
This overloads the 'name' part of the keytab name to supply a context
pointer, and so avoids 3 global variables!

To do this, we had to stop putting the entry for kpasswd into the
secrets.ldb.  (I don't consider this a big loss, and any entry left
there by an upgrade will be harmless).

Andrew Bartlett
2009-07-27 22:41:42 +10:00
Andrew Bartlett
b50ab318c1 s4:setup add 'cn' attribute to Samba4 local schema
(We recently made the ms_schema.py script also add this attribute)
2009-07-27 22:41:42 +10:00
Matthias Dieter Wallnöfer
2fc5331e5c [SAMBA 4 directory] Refactoring and clean up of directory structure
- Adds more system objects which make sense to have them in SAMBA 4 also to
  have them when we add more and more services related to the directory (volume
  support, DFS, replication service, COM...)
- Make sure that "isCriticalSystemObject" and "showInAdvancedViewOnly" attributes
  are set correctly on each object
2009-07-20 14:21:09 +10:00
Jelmer Vernooij
7a765b65b7 provision: Remove unused imports. 2009-07-19 13:19:54 +02:00
Andrew Bartlett
271b5af92e s4:dsdb Handle dc/domain/forest functional levels properly
Rather than have the functional levels scattered in 4 different,
unconnected locations, the provision script now sets it, and the
rootdse module maintains it's copy only as a cached view onto the
original values.

We also use the functional level to determine if we should store AES
Kerberos keys.

Andrew Bartlett
2009-07-16 09:23:35 +10:00
Matthias Dieter Wallnöfer
5049f61f39 [SAMBA 4 directory] Changes "forceLogoff" and corrects the "subRefs"
- This changes the attribute "forceLogoff" to its' default
  values according to Windows Server 2003 R2
- Also this corrects the "subRefs" attribute of the base-DN which only refers
  to direct child partitions (and therefore not to the complete transitive closure)
2009-07-02 11:21:02 +10:00
Matthias Dieter Wallnöfer
b31f1e6d5b [SAMBA 4 directory] Corrects the "systemFlags" attributes
Set the values like Windows Server 2003 R2.
2009-07-01 14:50:42 +10:00
Matthias Dieter Wallnöfer
d4a969530d [SAMBA 4 directory] Adds the complete "objectclass path" to our self-created DC object
Found after some comparisons against Windows Server 2003 R2.
2009-07-01 14:50:42 +10:00
Matthias Dieter Wallnöfer
3e3c08c7a6 [SAMBA 4 directory] Adds the object version and "systemFlags" attribute to the display specifiers
The object version showed up in the Windows 2003 Server R2 AD.
The "systemFlags" attribute has been set to the right value.
2009-07-01 14:50:42 +10:00
Matthias Dieter Wallnöfer
2d9b51c2a8 Correct the headers of some SAMBA 4 setup python scripts 2009-06-29 13:39:55 +10:00
Andrew Bartlett
1e6fb7d730 s4: Add tests and 'must change password' flags in setpassword and newuser
In particular, ensure that we can acutally change the password under
these circumstances.

Andrew Bartlett
2009-06-18 13:49:30 +10:00
Andrew Bartlett
2afc6df9b4 s4:setup Add an option to 'setpassword' to force password change at next login 2009-06-18 13:49:30 +10:00
Jelmer Vernooij
c418af2456 ad-schema/license.txt: Fix typo. 2009-06-12 14:14:27 +02:00
Andrew Bartlett
4c1a7d7556 Add supportedCapabilities to our rootDSE
This makes AD client tools happier, as they know they are talking to
an AD server.

per Bug 6229 by Matthieu Patou <mat@matws.net>

Andrew Bartlett
2009-06-12 07:51:43 +10:00
Andrew Bartlett
d409a12ccd s4:setup Remove generated attributes from provision_configuration
Incorrectly added in 95eeef91d3, and
found by OpenLDAP backend tests run by Theodor Chirana <office@adaptcom.ro>

Andrew Bartlett
2009-05-29 12:15:28 +10:00
Andrew Kroeger
c80c3b5edd s4:provision: Added ComPartitionSets entry.
Without this entry, opening the COM+ tab under the properties of an OU within
ADUC results in the following error:

"Unable to retrieve all user properties, 0x80072030"
2009-05-26 14:17:22 +10:00
Andrew Kroeger
95eeef91d3 s4:Added Extended-Rights and subentries.
Without these entries, using the 'Delegate Control' option in ADUC results in
the following error message in the Delegation of Control Wizard:

"The templates could not be applied.  One or more of the templates is not
applicable.  Click Back and select different templates, and then try again."
2009-05-26 14:17:12 +10:00
Andrew Kroeger
d402866e31 s4:provision: Update DisplaySpecifiers (#5139).
The classDisplayName attribute controls the actual text displayed to the user
for the top-level menus, so added it to the existing entries.

The attributeDisplayNames attribute contains both the text displayed to the
user and a mapping to the internal directory attribute name for the particular
field, so added these to the existing entries as well.

Added new entries as appropriate to properly complete all menus and labels
within ADUC.
2009-05-26 14:16:05 +10:00
Matthias Dieter Wallnöfer
92d321006d Enable software rollout through AD
This enables the sofware rollout feature in Samba4

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-04-15 12:27:02 +10:00
Andrew Tridgell
26f5225ae2 we should not be supplying a generated attribute in our schema 2009-04-09 13:46:35 +10:00
Andrew Bartlett
354ba5e2e3 s4:schema Update Windows 2008 schema from Microsoft to latest version 2009-04-03 08:18:14 +11:00
Andrew Bartlett
c7ed9bc477 Remove minschema generated schema - we now generate from setup/ad-schema/ 2009-04-03 08:15:25 +11:00
Andrew Bartlett
1a17fcdf66 Add parentGUID as an allowed attribute in samba4Top
This is required to get provision against OpenLDAP working again
2009-04-03 08:14:42 +11:00
Andrew Bartlett
27c6eca04c Merge branch 'master' of ssh://git.samba.org/data/git/samba into wspp-schema 2009-03-20 13:22:08 +11:00
Andrew Tridgell
a1ebb85020 added support for parentGUID
This is made up of 4 parts:

  1) change our schema to include the parentGUID attribute type

  2) in the add hook in the objectclass module, get the objectGUID of
  the parent and add it to the message as parentGUID

  3) in the rename hook in the objectclass module, get the objectGUID
  of the new parent, and insert an async modify request after the
  renmam is done

  4) added a simple test suite
2009-03-17 14:18:53 +11:00
Andrew Bartlett
8249383efb Add the new, updated AD schema file from Microsoft
Also remove the copy of the licence text from licence.txt, to ensure
we don't get variations between the copies.

Andrew Bartlett
2009-02-25 10:40:42 +11:00
Oliver Liebel
503d15e8df Updates to the recent cn=config support for the OpenLDAP backend
- removed workaround for olcSyncprovConfig - creation (works perfect now
with 2.4.15, release was today)
- added 1 message-helpline, which is displayed when running
provision-backend with olc and/or mmr setup
- corrected 1 wrong slapcommand-helpline
- slapd.conf is removed now in case of olc-setup
- added 1 copyright-line to provision.py and provision-backend

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-02-25 10:39:35 +11:00
Oliver Liebel
31f2cddcf5 Added mmr and olc to the OpenLDAP backend provisioning-scripts
These extensions add mmr (multi-master-replication) and olc
(openldap-online-configuration) capabilities to the
provisioning-scripts (provision-backend and provision.py), for use
with the openldap-backend (only versions >=2.4.15!).

Changes / additions made to the provision-backend  -script:
added new command-line-options:
--ol-mmr-urls=<list of whitespace separated ldap-urls> for use with mmr
(can be combined with --ol-olc=yes),
--ol-olc=[yes/no] (activate automatic conversion from static slapd.conf
to olc),
--ol-slaptest=<path to slaptest binary> (needed in conjunction with
--ol-olc=yes)

Changes / additions made to the provision.py -script: added
extensions, that will automatically generate the chosen mmr and/or olc
setup for the openldap backend, according to the to chosen parameters
set in the provision-backend script

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-02-24 21:34:44 +11:00
Jelmer Vernooij
53b59aa2cf Use convenience function for finding setup_dir based on location of
python module.
2009-02-11 18:44:57 +01:00
Jelmer Vernooij
71221fded4 --interactive doesn't take any argument. 2009-02-11 16:58:00 +01:00