1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

34 Commits

Author SHA1 Message Date
Stefan Metzmacher
3ed1ba6fed s4:provision: use better values for operatingSystem[Version]
Some clients (e.g. an exchange server) check operatingSystemVersion
in order to check if a domain controller is new enough.

So we better use a value matching the dc functional level.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-19 03:31:30 +00:00
Douglas Bagnall
0a555cf097 CVE-2020-25722 s4/provision: add host/ SPNs at the start
There are two reasons for this. Firstly, leaving SPNs unclaimed is
dangerous, as someone else could grab them first. Secondly, in some
circumstances (self join) we try to add a DNS/ SPN a little bit later
in provision. Under the rules we are introducing for CVE-2020-25722,
this will make our later attempts to add HOST/ fail.

This causes a few errors in samba4.blackbox.dbcheck.* tests, which
assert that revivified old domains match stored reference versions.
Now they don't, because they have servicePrincipalNames.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Andrew Bartlett
c271b71420 s4-provision Perform 'modify' operations as system
We need this so that we can modify the cn=configuration partition when
we are setting up a new subdomain.

The serverReference on our ${SERVERDN} is in that partition, and
without this change creating a new subdomain fails due to ACLs.

Andrew Bartlett
2011-09-13 15:37:12 +10:00
Andrew Bartlett
6635bb70d3 s4-provision Add initial support for joining as a new subdomain
To do this we need to reorganise a lot of the provision code, so that
we can create the framework for the inbound replicaton of the config
and schema partitions and then add in the new subdomain locally.

Andrew Bartlett
2011-09-13 15:37:11 +10:00
Amitay Isaacs
b36e9de863 s4-provision: LDIF files to set up AD DNS schema
This files set up DomainDnsZones and ForestDnsZones partitions and
other configuration parameters for replication.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2011-09-08 00:35:37 +02:00
Matthias Dieter Wallnöfer
3c8283da41 s4:provision_self_join.ldif - the object SID in AD is called "objectSid"
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Tue Nov  9 13:18:29 UTC 2010 on sn-devel-104
2010-11-09 13:18:29 +00:00
Matthias Dieter Wallnöfer
bd5039546e s4:provision - switch to "clearTextPassword" for setting passwords
This is the default password set/change attribute for s4 specific purposes
(otherwise in respect to Windows it's "unicodePwd"). We move away from
"userPassword" since on Windows it's not activated by default - and s4 will
follow soon.
2010-11-09 13:22:00 +01:00
Matthias Dieter Wallnöfer
572774a7a0 s4:provision - remove the "servicePrincipalName" creation on the DC object
This is now done by the "samba_spnupdate" script.
2010-10-31 18:44:07 +00:00
Matthias Dieter Wallnöfer
5cb99aa81a s4:setup/provision_self_join.ldif - let the samldb LDB module fill in "isCriticalSystemObject"
It recognizes it now automatically.
2010-10-13 13:35:21 +00:00
Matthias Dieter Wallnöfer
4fd8ce42ce s4:setup/provision_self_join.ldif - now the samldb LDB module detects automatically that this is a DC account 2010-09-12 19:23:06 +02:00
Stefan Metzmacher
712a149802 s4:provision: don't use hardcoded values for 'nextRid' and 'rIDAvailablePool'
On Windows dcpromo imports nextRid from the local SAM,
which means it's not hardcoded to 1000.

The initlal rIDAvailablePool starts at nextRid + 100.

I also found that the RID Set of the local dc
should be created via provision and not at runtime,
when the first rid is needed.
(Tested with dcpromo on w2k8r2, while disabling the DNS
 check box).

After provision we should have this (assuming nextRid=1000):

rIDAllocationPool: 1100-1599
rIDPrevAllocationPool: 1100-1599
rIDUsedPool: 0
rIDNextRID: 1100

rIDAvailablePool: 1600-1073741823

Because provision sets rIDNextRid=1100, the first created account
(typically DNS related accounts) will get 1101 as rid!

metze
2010-06-26 09:50:54 +02:00
Matthias Dieter Wallnöfer
e592deeb1a s4:AD content - Add the DFSR objects which exist on Windows Server >= 2008
Those replace the FRS ones.
2010-02-21 21:19:56 +01:00
Matthias Dieter Wallnöfer
fca0c4de2a s4:provision_self_join.ldif - Adapt comment after implementation of distributed RIDs 2010-01-08 18:18:21 +01:00
Andrew Tridgell
53d10d139e s4-provision: don't hard wire the creation of the RID Set object
We now create it automatically in the samldb module when the first
user is created. 

The creation of the dns user also had to move to the _modify.ldif as
it now relies on the fSMO role being setup for the RID Manager

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-01-08 13:03:00 +11:00
Andrew Tridgell
5eb3b919c5 s4-provision: the DC object itself needs a fixed objectSID
We can't allocate a objectSID until we have rIDSetReferences, but that
is in the DC object, so we have to force the objectSID of the DC

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-01-08 13:02:58 +11:00
Andrew Tridgell
a1362492ab s4-provision: added an initial RID Set
We will allocate RIDs from this set

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-01-08 13:02:58 +11:00
Matthieu Patou
8bf517d340 s4: Improve provisioning: use relax control
Give the possibility to specify controls when loading ldif files.
  Relax control is specified by default for all ldb_add_diff (request Andrew B).
  Set domainguid if specified at the creation of object instead of modifying afterward
  Allow to specify objectGUID for NTDS object of the first DC this option is used during provision upgrade.
2009-10-02 12:45:01 +02:00
Matthias Dieter Wallnöfer
fa4023d6f7 s4:provision - Some rework (continuation)
- Fix up "servicePrincipalNames" attributes on the DC object
- Add some informative comments (most in "provision_self_join.ldif")
- Add also comments where objects are missing which we may add later when we
  support the feature (mainly for FRS)
- Add "domain updates" objects also under "CN=Configuration" (they exist twice)
- Add the default services under "Services" to allow interoperability with some
  MS client tools
- Smaller changes
2009-09-17 21:19:24 +02:00
Matthias Dieter Wallnöfer
c73984a5c9 s4:AD LDIFs - More refactoring
This commit includes:
- Additional static object data in SAMBA 4's AD to start supporting of
  - forest updates, - lost and found, - quotas on DS, - physical locations,
  - licensing of sites, - subnets, - policies for WMI, - DNS entries in AD
- Reordering of provision*.ldif files to be able to find entries and make future
  additions easier
- Add comments in provision*.ldif files to point out where subentries are located
  when they are based in other LDIFs
- Removations of autogenerated "cn" attributes
2009-08-11 12:59:13 +02:00
Matthias Dieter Wallnöfer
2fc5331e5c [SAMBA 4 directory] Refactoring and clean up of directory structure
- Adds more system objects which make sense to have them in SAMBA 4 also to
  have them when we add more and more services related to the directory (volume
  support, DFS, replication service, COM...)
- Make sure that "isCriticalSystemObject" and "showInAdvancedViewOnly" attributes
  are set correctly on each object
2009-07-20 14:21:09 +10:00
Andrew Bartlett
271b5af92e s4:dsdb Handle dc/domain/forest functional levels properly
Rather than have the functional levels scattered in 4 different,
unconnected locations, the provision script now sets it, and the
rootdse module maintains it's copy only as a cached view onto the
original values.

We also use the functional level to determine if we should store AES
Kerberos keys.

Andrew Bartlett
2009-07-16 09:23:35 +10:00
Matthias Dieter Wallnöfer
d4a969530d [SAMBA 4 directory] Adds the complete "objectclass path" to our self-created DC object
Found after some comparisons against Windows Server 2003 R2.
2009-07-01 14:50:42 +10:00
Andrew Bartlett
44ea6a26fd rename sambaPassword -> userPassword.
This attribute is used in a very similar way (virtual attribute
updating the password) in AD on Win2003, so eliminate the difference.

This should not cause a problem for on-disk passwords, as by default
we do not store the plaintext at all.

Andrew Bartlett
(This used to be commit 1cf0d75149)
2008-07-12 15:26:42 +10:00
Andrew Bartlett
e8a3621a8f Be consistant in using ${SEVERDN}.
This ensures we don't fall out of sync with the provision scripts.

Andrew Bartlett
(This used to be commit 566c60b464)
2008-04-09 14:51:22 +10:00
Andrew Bartlett
2ab6dd9ea5 Remove references to setting the host GUID, as the repl_meta_data
module prohibits it anyway.

Andrew Bartlett
(This used to be commit c5b287c056)
2008-04-02 11:38:58 +11:00
Andrew Bartlett
446fb38765 Users and computers now share the same template.
Slowly work away at the samldb module again, it is clear that AD does
not use much of a templating system.  samAccountType is managed, as
far as I can tell, when groupType or userAccountControl changes.

Andrew Bartlett
(This used to be commit 447d5a7954)
2008-02-28 08:43:10 +11:00
Andrew Bartlett
b39676089e Remove default 'showInAdvancedViewOnly' values.
This means we only show and set the values when they are not the
values the schema and objectclass module would impose.

Andrew Bartlett
(This used to be commit c2f2e01357)
2008-01-18 18:10:18 +11:00
Andrew Bartlett
873c7457c6 Don't manually specify instanceID in the template files.
The instanceid module creates this automaticlly, so we don't need this
any more.

Andrew Bartlett
(This used to be commit f6dbdf34e8)
2008-01-18 13:30:20 +11:00
Andrew Bartlett
f5860b5a85 r26298: Use metze's schema loading code to pre-initialise the schema into the
samdb before we start writing entries into it.

In doing so, I realised we still used 'dnsDomain', which is not part
of the standard schema (now removed).

We also set the 'wrong' side of the linked attributes for the
masteredBy on each partition - this is now set in provision_self_join
and backlinks via the linked attributes code.

When we have the schema loaded, we must also have a valid domain SID
loaded, so that the objectclass module works.  This required some ejs
glue.

Andrew Bartlett
(This used to be commit b0de08916e)
2007-12-21 05:48:15 +01:00
Andrew Bartlett
999d47e41e r25452: Move the creation of the server entry to the self join, as this makes
no sense on a member server.

Andrew Bartlett
(This used to be commit 70467fa4c5)
2007-10-10 15:07:37 -05:00
Andrew Bartlett
ee257e902a r25299: Modify the provision script to take an additional argument: --server-role
This must be set to either 'domain controller', 'domain member' or 'standalone'.

The default for the provision now changes to 'standalone'.

This is not because Samba4 is particularlly useful in that mode, but
because we still want a positive sign from the administrator that we
should advertise as a DC.

We now do more to ensure the 'standalone' and 'member server'
provision output is reasonable, and try not to set odd things into the
database that only belong for the DC.

Andrew Bartlett
(This used to be commit 4cc4ed7719)
2007-10-10 15:07:09 -05:00
Andrew Bartlett
f681306335 r24760: Ensure we base64 encode any password being put into LDIF, to avoid
provision failures when some of the random password values are illigal
LDIF.

Andrew Bartlett
(This used to be commit 876003f6c6)
2007-10-10 15:03:05 -05:00
Andrew Bartlett
1cc770fc58 r23815: Thanks to Matthias Wallnoefer <mwallnoefer@yahoo.de> for pointing out
that we had the wrong objectClass for OU=Domain
Controllers,${DOMAINDN} (was CN=Domain Controllers,${DOMAINDN})

This fixes both the SAMR server and the LDIF templates.

Andrew Bartlett
(This used to be commit 625a9e6c04)
2007-10-10 14:59:22 -05:00
Andrew Bartlett
967866f170 r23720: Allow the member server to work against an LDAP Backend. Another case
where LDB isn't as strict as OpenLDAP, the self join record contains
duplicate servicePrincipalNames once the DNS name and domain name are
made equal.  (Easier to just skip the useless self-join).

Andrew Bartlett
(This used to be commit 49ff929be6)
2007-10-10 14:59:08 -05:00