Stefan Metzmacher
6d7b9648e5
s4:dsdb: allocate DSDB_CONTROL_BYPASS_PASSWORD_HASH_OID
...
When importing users from Samba3 we need to control all values.
metze
2010-07-05 18:00:14 +02:00
Matthias Dieter Wallnöfer
43b0c314d8
s4:setup/provision_basedn_modify.ldif - set "minPwdAge" to the right value
...
Now we should have fixed all password related tests to cooperate with this value
2010-07-03 11:38:54 +02:00
Stefan Metzmacher
50da834f13
s4:provision: add entries for root dns servers
...
metze
2010-06-26 09:50:56 +02:00
Stefan Metzmacher
6ab234cec9
s4:provision: move Samba4 specific DNS stuff to its own file
...
metze
2010-06-26 09:50:56 +02:00
Stefan Metzmacher
c6b21931c6
s4:provision: add --next-rid option
...
Make it possible to provision a domain with a given next rid counter.
This will be useful for upgrades, where we want to import users
with already given SIDs.
metze
2010-06-26 09:50:55 +02:00
Stefan Metzmacher
712a149802
s4:provision: don't use hardcoded values for 'nextRid' and 'rIDAvailablePool'
...
On Windows dcpromo imports nextRid from the local SAM,
which means it's not hardcoded to 1000.
The initlal rIDAvailablePool starts at nextRid + 100.
I also found that the RID Set of the local dc
should be created via provision and not at runtime,
when the first rid is needed.
(Tested with dcpromo on w2k8r2, while disabling the DNS
check box).
After provision we should have this (assuming nextRid=1000):
rIDAllocationPool: 1100-1599
rIDPrevAllocationPool: 1100-1599
rIDUsedPool: 0
rIDNextRID: 1100
rIDAvailablePool: 1600-1073741823
Because provision sets rIDNextRid=1100, the first created account
(typically DNS related accounts) will get 1101 as rid!
metze
2010-06-26 09:50:54 +02:00
Matthias Dieter Wallnöfer
8ad01613f6
Revert "s4:provision.ldif - fix the number of available RIDs"
...
This reverts commit 41cdcd54b7
.
As per request of metze revert this (cause written on the mailing list).
2010-06-24 15:13:40 +02:00
Matthias Dieter Wallnöfer
41cdcd54b7
s4:provision.ldif - fix the number of available RIDs
...
There should be 4611686014132422209 and not 4611686014132422109.
2010-06-24 10:04:53 +02:00
Matthias Dieter Wallnöfer
fec489bd87
s4:provision.ldif - this Win2003 revision level seems always to be "9" on Windows Server 2008 machines
2010-06-24 10:04:53 +02:00
Matthias Dieter Wallnöfer
64e19ef9fb
s4:provision_users.ldif - change a group description to be correct
2010-06-24 10:04:52 +02:00
Matthias Dieter Wallnöfer
e88f37daa0
s4:setup/provision.reg - raise version to Windows Server 2008 R2
2010-06-24 10:04:50 +02:00
Jelmer Vernooij
237ab66f6c
selftest: Use scripted testparm.
2010-06-20 14:14:47 +02:00
Lukasz Zalewski
e55c012acc
make test modules for net group set of commands and modification to the newuser to include additional parameters
...
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
2010-06-20 01:29:03 +02:00
Matthieu Patou
3ebe560622
ldb: add a new control bypassioperationnal
...
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
2010-06-20 00:43:08 +02:00
Andrew Bartlett
d523e946b1
s4:provision Add import for DS_DOMAIN_FUNCTION_2000
2010-06-16 09:57:51 +10:00
Andrew Bartlett
814cb8895d
s4:provision Allow functional level 2000 to be chosen
2010-06-16 09:57:51 +10:00
Andrew Bartlett
ecfce7365c
s4:dsdb Add control for signaling between repl_meta_data and linked_attributes
...
This control will allow the linked_attributes module to know if
repl_meta_data has already handled the creation of forward and back
links.
Andrew Bartlett
2010-06-16 09:57:51 +10:00
Andrew Kroeger
352fb5c7e4
s4:provision: Make gc._msdcs DNS entries A/AAAA records
...
When adding an additional DC as a GC server, the new DC attempts to register its
own gc._msdcs records. If the existing gc._msdcs record is a CNAME, BIND fails
the update with the message "attempt to add non-CNAME alongside CNAME ignored",
and the new DC is not registered as a GC server.
The A & AAAA record types for gc._msdcs have been verified against the DNS
server of a W2K8 DC.
2010-06-14 12:14:46 +02:00
Matthias Dieter Wallnöfer
4b6ce8efc0
s4:fix allocated control OIDs for "password_hash" LDB module
...
The password hash module controls overlapped others. Sorry, but the
"schema_samba4.ldif" hasn't been kept up-to-date.
2010-06-13 18:35:19 +02:00
Jelmer Vernooij
74ed48aa1c
Friendlier message.
2010-06-13 18:19:03 +02:00
Jelmer Vernooij
d9d0d54475
upgradeprovision: Use logging infrastructure.
2010-06-13 18:19:03 +02:00
Jelmer Vernooij
956a256faa
s4-python: Start using standard python logging infrastructure rather
...
than simple messaging callbacks.
2010-06-13 18:19:03 +02:00
Matthias Dieter Wallnöfer
b8ea2e0757
s4:provision - fix typo in substitution variable
2010-06-06 20:42:19 +02:00
Matthias Dieter Wallnöfer
40ced1a3be
s4:setup/*.ldif - remove unneeded "cn" attributes
...
Should be generated automatically
2010-05-24 14:01:05 +02:00
Matthias Dieter Wallnöfer
38e9a7f577
s4:domain functional level - it is also specified in the domain object under partitions
...
Discovered by the "ldapcmp" tool
2010-05-13 15:14:06 +02:00
Matthias Dieter Wallnöfer
92aa194145
s4:provision_configuration.ldif - add more extended rights objects
2010-05-13 15:06:35 +02:00
Matthias Dieter Wallnöfer
9005227e72
s4:provision_users.ldif - fix up and reorder the well-known security principals
2010-05-13 14:51:10 +02:00
Matthias Dieter Wallnöfer
c715f6d3f9
s4:provision_configuration.ldif - add more Windows 2008 forest operations
2010-05-13 14:47:32 +02:00
Matthias Dieter Wallnöfer
eaea676916
s4:provision_configuration.ldif - the revision level of "Windows2003Update" should obviously be 10
...
Compared against my Windows Server 2008 and Zahari's output.
2010-05-13 14:47:31 +02:00
Matthias Dieter Wallnöfer
025eaceb5c
s4:provision_configuration.ldif - "CN=94fdebc6-8eeb-4640-80de-ec52b9ca17fa" operation is of version 3
2010-05-13 14:47:30 +02:00
Matthias Dieter Wallnöfer
47818b19fc
s4:provision*.ldif - always set the "msDS-NcType" attribute correctly
2010-05-13 14:47:30 +02:00
Matthias Dieter Wallnöfer
1885327b30
s4:provision_configuration.ldif - set the right schedule on the default site in the NTDS site settings
2010-05-13 14:47:29 +02:00
Matthias Dieter Wallnöfer
8acd8b97a6
s4:provision_configuration.ldif - The "NTDS Quotas" object is system-critical
2010-05-13 14:47:29 +02:00
Matthias Dieter Wallnöfer
79ac53eb3b
s4:provision_configuration.ldif - "sites" object
...
- The default site doesn't contain a licensing object
- Adequate two other values (a "showInAdvancedViewOnly" and a "systemFlags" one)
2010-05-13 14:10:02 +02:00
Matthias Dieter Wallnöfer
f57bcc92b5
s4:provision.ldif - add IP security objects as they exist on Windows Server
2010-05-13 13:03:47 +02:00
Matthias Dieter Wallnöfer
44e05dfb73
s4:provision.ldif - add more Windows 2008 domain operations
2010-05-13 13:03:46 +02:00
Matthias Dieter Wallnöfer
cc2bd1f777
s4:provision_users.ldif - On Windows Server >= 2008 security principal S-1-5-20 doesn't exist anymore
2010-05-13 13:03:45 +02:00
Matthias Dieter Wallnöfer
350c61922e
s4:provision.ldif - "passwordSettingsContainer" add "showInAdvancedViewOnly"
2010-05-13 13:03:44 +02:00
Matthias Dieter Wallnöfer
bbb5825a6f
s4:provision.ldif - fix up "NTDS Quotas" "systemFlags"
2010-05-13 13:03:43 +02:00
Matthias Dieter Wallnöfer
b2bd02e11e
s4:provision_users.ldif - fix up Administrator's "userAccountControl"
2010-05-13 13:03:43 +02:00
Matthias Dieter Wallnöfer
8c796715c1
s4:provision_basedn_modify.ldif - fix up "maxPwdAge"
2010-05-13 13:03:31 +02:00
Matthias Dieter Wallnöfer
5e4d91f7aa
s4:provision_users.ldif - Fix typos in user/group objects
2010-05-13 11:17:52 +02:00
Matthias Dieter Wallnöfer
726fb35f9f
s4:dsdb: add new controls
...
- Add a new control for getting status informations (domain informations,
password change status) directly from the module
- Add a new control for allowing direct hash changes
- Introduce an addtional control "change_old password checked" for the password
2010-05-10 17:54:15 +02:00
Stefan Metzmacher
1913e03bd4
s4:setup: mark DSDB_CONTROL_DN_STORAGE_FORMAT_OID 1.3.6.1.4.1.7165.4.3.4 as allocated
...
metze
2010-05-10 17:54:15 +02:00
Stefan Metzmacher
6ee53309a1
s4:blackbox password tests - more complex passwords
2010-05-10 12:20:26 +02:00
Matthias Dieter Wallnöfer
e4ce727c8d
s3:provision_basedn_modify.ldif - add "msDS-NcType" attribute and fix comments
2010-05-10 09:21:17 +02:00
Marcel Ritter
e6f59613fe
Install spn_update_list to setup/ dir
...
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
2010-04-27 21:05:00 +02:00
Andrew Tridgell
fa26383884
s4-dsdb: added samba_spnupdate
...
this script adds all our required servicePrincipalName entries at
runtime. The admin can add more entries to spn_update_list as needed
2010-04-27 19:27:18 +10:00
Andrew Tridgell
570c89287e
s4-dns: explain what the file is for
2010-04-27 19:27:18 +10:00
Andrew Tridgell
be35a40e03
s4-dns: fixed dc.dc duplication in DNS update list
2010-04-27 11:01:23 +10:00
Andrew Bartlett
bd08249d68
s4:provision Remove moduleload for 'hdb' (wrong name).
...
The backends are not normally modules anyway
2010-04-22 19:55:06 +10:00
Andrew Bartlett
e11f92ba73
s4:provision Make OpenLDAP backend more robust
...
With the extra moduleload lines (which succeed if it's already
staticly linked), we now work with OpenLDAP overlays as modules.
Andrew Bartlett
2010-04-22 18:37:19 +10:00
Andrew Bartlett
466fbe278a
s4:provison Pass nosync in for the OpenLDAP cn=config too
2010-04-22 18:37:19 +10:00
Andrew Bartlett
cbb818222a
s4:OpenLDAP-backend Use the new rdnval module in OpenLDAP
...
This is rather than rdn_name, which tries to do the job on the client
side. We need to leave this module in the stack for Fedora DS (and of
course the LDB backend).
Andrew Bartlett
2010-04-22 18:37:18 +10:00
Andrew Bartlett
a50f6aad85
s4:provision Use more reasonable values for DB_CONFIG
...
With the OpenLDAP backend, the old DB_CONFIG caused OpenLDAP to abort
on startup, and was very inefficient. This new one, kindly supplied
by Matthew Backes <mbackes@symas.com> uses a more reasonable set of
buffer sizes.
Andrew Bartlett
2010-04-22 18:37:18 +10:00
Andrew Tridgell
5e695dec2a
s4-upgradeprovision: fixed --realm option duplicate in upgrade_from_s3
2010-04-21 13:35:56 +10:00
Andrew Tridgell
8fdfcde56c
s4-provision: cope with --realm being in getopt.py
...
we still need to allow for interactive querying of the realm
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-04-21 13:35:56 +10:00
Matthieu Patou
b8d6f1ce89
s4 provision: Remove hard coded ACL for GPO objects
...
It is no longer needed to hard code ACL for GPO object as we have now code
that calculate ACL from defaultSecurityDescriptor and inheritance correctly.
In fact the resulting ACL returned by this hard coded value is a bit wrong as
some ACE are duplicated.
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
2010-04-15 18:45:40 +02:00
Stefan Metzmacher
f1ecdb980b
s4:setup/wscript_build: install dns_update_list into ${SETUPDIR}
...
metze
2010-04-15 18:37:40 +02:00
Jelmer Vernooij
dd4ef4e106
s4-python: More cleanups.
2010-04-08 23:20:36 +02:00
Jelmer Vernooij
d7a46ee129
s4-python: Simplify code, improve formatting.
2010-04-08 23:20:36 +02:00
Thomas Nagy
7f3116a63d
build: allow the waf build to work with python 3.0 and 3.1
...
Python 3.x is a bit fussier about print statements and indentation.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-04-08 07:46:39 +10:00
Andrew Tridgell
f9eae32f4b
s4-waf: mark the wscript files as python so vim/emacs knows how to highlight them
2010-04-06 20:27:11 +10:00
Andrew Tridgell
bd7bf0e1a9
s4-waf: install the rest of our python files
2010-04-06 20:27:10 +10:00
Andrew Tridgell
a2a4fee8c6
s4-waf: forgot these files
2010-04-06 20:27:09 +10:00
Jelmer Vernooij
31a517e172
s4-python: Move dsdb constants to a separate python module.
2010-04-04 00:14:23 +02:00
Andrew Tridgell
088096d1ba
python: use '#!/usr/bin/env python' to cope with varying install locations
...
this should be much more portable
2010-03-25 14:37:19 +11:00
Oliver Liebel
752b2206cb
Fixed --ol-mmr-url helpline
...
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-03-18 11:27:57 +11:00
Oliver Liebel
947560fe37
Fixed OL-MMR make test
...
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-03-18 11:27:51 +11:00
Matthias Dieter Wallnöfer
5e06110bc1
Reintroduce "s4:provision Improve the handling of provision errors""
...
This mainly reverts commit f0bc02d74c
.
Jelmer pointed out a way how we can achieve the same error handling with an
older syntax also on Python 2.4+.
2010-03-14 10:34:26 +01:00
Matthias Dieter Wallnöfer
f0bc02d74c
Revert "s4:provision Improve the handling of provision errors"
...
This reverts partially commit 027123199e
.
Andrew, this is not Python 2.4+ compatible
2010-03-13 12:37:45 +01:00
Endi S. Dewata
ade93755d5
s4:provision - Updated FDS schema mapping.
2010-03-11 15:30:25 +11:00
Andrew Bartlett
027123199e
s4:provision Improve the handling of provision errors
...
The backtraces were too confusing for our users, and didn't tell them
what to do to fix the problem. By printing the string (rather than a
backtrace), and including in the error what to do, and what file to
remove, we give them a chance.
Andrew Bartlett
2010-03-11 15:28:53 +11:00
Matthias Dieter Wallnöfer
73e7aa863b
s4:provision.reg - call us Windows 2008 from the current version point of view
2010-03-06 18:51:41 +01:00
Endi S. Dewata
c54699faf2
s4:provision - Moved default FDS SASL mappings deletion from post_setup() to init().
...
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-03-02 14:07:15 +11:00
Endi S. Dewata
02533c9f1b
s4:provision - Use netbios name for FDS instance name.
...
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-03-02 14:07:01 +11:00
Matthias Dieter Wallnöfer
2caa2a045d
s4:provision.zone - fix port of "_ldap._tcp.gc._msdcs"
2010-02-26 21:00:10 +01:00
Andrew Tridgell
336ebeabad
s4-provision: added dns_update_list
...
This contains the list of DNS names we should have as a DC
2010-02-26 14:27:39 +11:00
Andrew Tridgell
c796b6c52e
s4-provision: fixed port number for gc ldap DNS SRV entry
...
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-02-26 13:59:17 +11:00
Andrew Tridgell
9a72806dc9
Revert "s4:AD content - adequate some revision levels to match Windows Server 2008"
...
This reverts commit 973ea19867
.
This change breaks DRS dcpromo.
2010-02-26 13:22:12 +11:00
Matthias Dieter Wallnöfer
017e401ded
s4:AD content - Implement the new password settings container
2010-02-21 21:19:57 +01:00
Matthias Dieter Wallnöfer
973ea19867
s4:AD content - adequate some revision levels to match Windows Server 2008
2010-02-21 21:19:56 +01:00
Matthias Dieter Wallnöfer
e592deeb1a
s4:AD content - Add the DFSR objects which exist on Windows Server >= 2008
...
Those replace the FRS ones.
2010-02-21 21:19:56 +01:00
Eduardo Lima
9c46f425a2
s4-drs: enable the recyclebin optional feature
...
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-02-16 00:12:09 +11:00
Andrew Tridgell
4aaa7fe43b
s4-provision: fixed --function-level option to provision
...
we need the DS_DOMAIN_* levels imported
2010-02-12 01:08:11 +11:00
Andrew Tridgell
c986bfb22e
s4-provision: pre-create a named.conf.update file
...
The named.conf.update file will be filled in at runtime by Samba to
contain the list of bind9 grant rules for granting DNS dynamic update
permissions on the domain.
2010-02-11 21:04:12 +11:00
Andrew Tridgell
5a72eca574
s4-provision: move zone file to dns subdirectory
...
This allows the permissions to be correctly set for bind to write to
a journal file. It also sets the right group ownership and permissions
on the files that bind needs to access.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-02-11 21:04:11 +11:00
Andrew Bartlett
f299fe565a
s4:provision Just 'do the right thing' with empty smb.conf files
...
For some reason, JHT keeps on creating an empty smb.conf file,
expecting it to be the same as a non-existant one. It is easier to
just realise what he meant.
Andrew Bartlett
2010-02-10 16:18:21 +11:00
Jelmer Vernooij
0b7910b8bf
upgrade_from_s3: Remove unused imports.
2010-01-25 15:18:01 +01:00
Endi S. Dewata
d69d07ce62
s4-provision: Added msDS-NcType into samba4Top object class
...
Signed-off-by: Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>
2010-01-23 22:41:28 +01:00
Endi S. Dewata
ce709389e6
s4-provision: Disable populating FDS during instance creation.
...
Signed-off-by: Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>
2010-01-23 22:40:51 +01:00
Matthieu Patou
c637c52876
provision: use message and do not display warning if the user choosed delibarately posix:eadb
2010-01-21 07:11:17 +13:00
Matthieu Patou
d4514a6539
provision: introduce use-xattr parameter for defining where to store attributes
...
This option allow simple user (non root) to invoke provision without facing an error
while insuring that ACL on shared files will always be set
2010-01-21 07:11:17 +13:00
Matthieu Patou
e78626dc2e
s4: Set acls correctly on all sysvol and scripts shares
2010-01-21 07:11:15 +13:00
Matthieu Patou
028c9b1c15
s4: regroup gpo modification in one function, set acl on files accordingly with ACL in LDAP
2010-01-21 07:11:14 +13:00
Andrew Tridgell
84b47d3334
s4-provision: added w2k8r2 ldap capabilities
2010-01-16 14:10:44 +11:00
Andrew Tridgell
a9808ae83d
s4-provision: added "check-names ignore;" to allow for _msdcs A records
2010-01-16 14:10:44 +11:00
Matthias Dieter Wallnöfer
b1d2bb3e51
s4:provision_users.ldif - Add a comment that some objects under "Users" are now located elsewhere
...
This is needed due to the new RID/SID distribution system
2010-01-14 10:58:08 +01:00
Matthias Dieter Wallnöfer
face5d3030
s4:provision_users.ldif - Add objects for IIS
...
Some WSPP locations point out that beginning with Windows Server 2008 they're
also per default present.
Compared against Windows Server 2008
2010-01-14 10:58:08 +01:00
Matthias Dieter Wallnöfer
9ac39b659f
s4:provision_users.ldif - Add additional BUILTIN objects
...
Compared against Windows Server 2008
2010-01-14 10:58:08 +01:00