1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

54 Commits

Author SHA1 Message Date
Joseph Sutton
fb0f65b0b5 s4:provision_users.ldif: Add Protected Users group
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-18 11:55:30 +00:00
Garming Sam
f4286f3516 typo: Change case to match DN
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-12-14 08:20:14 +01:00
Andrew Bartlett
846e342648 s4-provision Split addition of users and well known principals
If we are provisioning a subdomain, then these are already in
cn=configuration.

Andrew Bartlett
2011-09-13 15:37:12 +10:00
Matthias Dieter Wallnöfer
bd5039546e s4:provision - switch to "clearTextPassword" for setting passwords
This is the default password set/change attribute for s4 specific purposes
(otherwise in respect to Windows it's "unicodePwd"). We move away from
"userPassword" since on Windows it's not activated by default - and s4 will
follow soon.
2010-11-09 13:22:00 +01:00
Matthias Dieter Wallnöfer
64e19ef9fb s4:provision_users.ldif - change a group description to be correct 2010-06-24 10:04:52 +02:00
Matthias Dieter Wallnöfer
9005227e72 s4:provision_users.ldif - fix up and reorder the well-known security principals 2010-05-13 14:51:10 +02:00
Matthias Dieter Wallnöfer
cc2bd1f777 s4:provision_users.ldif - On Windows Server >= 2008 security principal S-1-5-20 doesn't exist anymore 2010-05-13 13:03:45 +02:00
Matthias Dieter Wallnöfer
b2bd02e11e s4:provision_users.ldif - fix up Administrator's "userAccountControl" 2010-05-13 13:03:43 +02:00
Matthias Dieter Wallnöfer
5e4d91f7aa s4:provision_users.ldif - Fix typos in user/group objects 2010-05-13 11:17:52 +02:00
Matthias Dieter Wallnöfer
b1d2bb3e51 s4:provision_users.ldif - Add a comment that some objects under "Users" are now located elsewhere
This is needed due to the new RID/SID distribution system
2010-01-14 10:58:08 +01:00
Matthias Dieter Wallnöfer
face5d3030 s4:provision_users.ldif - Add objects for IIS
Some WSPP locations point out that beginning with Windows Server 2008 they're
also per default present.

Compared against Windows Server 2008
2010-01-14 10:58:08 +01:00
Matthias Dieter Wallnöfer
9ac39b659f s4:provision_users.ldif - Add additional BUILTIN objects
Compared against Windows Server 2008
2010-01-14 10:58:08 +01:00
Matthias Dieter Wallnöfer
2a05dd6fcc s4:provision_users.ldif - add the restant part of the objects needing for RODC support
RODC = Read Only Domain Controllers

Compared against Windows Server 2008
2010-01-14 10:58:07 +01:00
Matthias Dieter Wallnöfer
71357053bb s4:provision_users.ldif - Fix up errors on existing entries
Compared against Windows Server 2008
2010-01-14 10:58:07 +01:00
Matthias Dieter Wallnöfer
81053e9124 s4:provision_users.ldif - Simple reordering
Sorted according the SID - easier for later enhancements.
2010-01-14 10:58:07 +01:00
Matthias Dieter Wallnöfer
a0d7f3e344 s4:provision_users.ldif - Remove system objects from the wrong place
Objects like the "Cryptographic Operators", "Event Log Readers" don't belong
here but into the builtin domain.
2010-01-14 10:58:06 +01:00
Matthias Dieter Wallnöfer
5c6c2619fb s4:provision_users.ldif - Descriptions generally begin with a majuscle 2009-11-17 19:46:59 +01:00
Andrew Tridgell
cc3e1d9022 s4-provision: removed the old privilege attributes
Our schema is getting a bit cleaner :-)
2009-10-17 13:01:02 +11:00
Matthias Dieter Wallnöfer
d87cfc7cc4 s4:provision_users.ldif - Put potential primary groups in front of the file
(So they can be always found by the SAMLDB module)
2009-10-02 15:26:02 +02:00
Matthias Dieter Wallnöfer
90d6829f8a s4:Foreign security principals - Fix them up
I fixed them up to match with Windows Server 2003. I don't think that the
creation of them in the provision script is needed so I put them in the
"provision_users.ldif" file.
2009-09-07 08:37:25 +02:00
Matthias Dieter Wallnöfer
931aa4e8bd s4:provision - Change the "provision_users.ldif" file to support the "samldb" changes
The "provision_users.ldif" file needs some rework to pass against the changed
and improved "samldb" module (see next commit).
2009-09-07 08:37:23 +02:00
Matthias Dieter Wallnöfer
c73984a5c9 s4:AD LDIFs - More refactoring
This commit includes:
- Additional static object data in SAMBA 4's AD to start supporting of
  - forest updates, - lost and found, - quotas on DS, - physical locations,
  - licensing of sites, - subnets, - policies for WMI, - DNS entries in AD
- Reordering of provision*.ldif files to be able to find entries and make future
  additions easier
- Add comments in provision*.ldif files to point out where subentries are located
  when they are based in other LDIFs
- Removations of autogenerated "cn" attributes
2009-08-11 12:59:13 +02:00
Matthias Dieter Wallnöfer
2fc5331e5c [SAMBA 4 directory] Refactoring and clean up of directory structure
- Adds more system objects which make sense to have them in SAMBA 4 also to
  have them when we add more and more services related to the directory (volume
  support, DFS, replication service, COM...)
- Make sure that "isCriticalSystemObject" and "showInAdvancedViewOnly" attributes
  are set correctly on each object
2009-07-20 14:21:09 +10:00
Matthias Dieter Wallnöfer
b31f1e6d5b [SAMBA 4 directory] Corrects the "systemFlags" attributes
Set the values like Windows Server 2003 R2.
2009-07-01 14:50:42 +10:00
Andrew Tridgell
750a848d0d added some more well known SIDs - thanks to the WSPP LSAT test suite 2008-09-29 16:01:07 -07:00
Andrew Tridgell
91d6cdd89a now that ldap integers are 32 bit, we need to put the right 32 bit
value in for group type to avoid sign extension, otherwise we don't
find the builtin groups
(This used to be commit 9b55863939)
2008-08-22 21:26:32 +10:00
Andrew Bartlett
44ea6a26fd rename sambaPassword -> userPassword.
This attribute is used in a very similar way (virtual attribute
updating the password) in AD on Win2003, so eliminate the difference.

This should not cause a problem for on-disk passwords, as by default
we do not store the plaintext at all.

Andrew Bartlett
(This used to be commit 1cf0d75149)
2008-07-12 15:26:42 +10:00
Andrew Kroeger
07cb435d40 accountExpires: Windows default is 9223372036854775807, not -1.
(This used to be commit be47cc7fdf)
2008-03-07 05:59:55 -06:00
Andrew Bartlett
446fb38765 Users and computers now share the same template.
Slowly work away at the samldb module again, it is clear that AD does
not use much of a templating system.  samAccountType is managed, as
far as I can tell, when groupType or userAccountControl changes.

Andrew Bartlett
(This used to be commit 447d5a7954)
2008-02-28 08:43:10 +11:00
Andrew Bartlett
b39676089e Remove default 'showInAdvancedViewOnly' values.
This means we only show and set the values when they are not the
values the schema and objectclass module would impose.

Andrew Bartlett
(This used to be commit c2f2e01357)
2008-01-18 18:10:18 +11:00
Andrew Bartlett
873c7457c6 Don't manually specify instanceID in the template files.
The instanceid module creates this automaticlly, so we don't need this
any more.

Andrew Bartlett
(This used to be commit f6dbdf34e8)
2008-01-18 13:30:20 +11:00
Andrew Bartlett
27c9f6c235 r25891: Test that we get the correct return value when we attempt to reference
invalid entries with a linked attribute.

Make Samba4 pass that test, by fixing a silly bug in the
linked_attributes module.  (By passing down the 'original' request
structure, tdb would override our handle, and therefore we would never
be called for the 'wait', which collects the errors).

Fix up the provision templates to handle the newly required
referential integrity.

Andrew Bartlett
(This used to be commit 0377d85bbd)
2007-12-21 05:44:41 +01:00
Andrew Bartlett
7c721a1f49 r25747: Implement linked attributes, for add operations.
Much more work is still required here, particularly to handle this
better during the provision, and to handle modifies and deletes, but
this is a start.

Andrew Bartlett
(This used to be commit 2ba99d58e9)
2007-12-21 05:43:41 +01:00
Andrew Bartlett
ee257e902a r25299: Modify the provision script to take an additional argument: --server-role
This must be set to either 'domain controller', 'domain member' or 'standalone'.

The default for the provision now changes to 'standalone'.

This is not because Samba4 is particularlly useful in that mode, but
because we still want a positive sign from the administrator that we
should advertise as a DC.

We now do more to ensure the 'standalone' and 'member server'
provision output is reasonable, and try not to set odd things into the
database that only belong for the DC.

Andrew Bartlett
(This used to be commit 4cc4ed7719)
2007-10-10 15:07:09 -05:00
Andrew Bartlett
f681306335 r24760: Ensure we base64 encode any password being put into LDIF, to avoid
provision failures when some of the random password values are illigal
LDIF.

Andrew Bartlett
(This used to be commit 876003f6c6)
2007-10-10 15:03:05 -05:00
Andrew Bartlett
73388ce54c r24729: First try and publishing a DNS service account, for folks to play with.
The keytab in dns.keytab should (I hope) do the job.

Andrew Bartlett
(This used to be commit af4d331eef)
2007-10-10 15:02:58 -05:00
Andrew Bartlett
4b31fd4409 r24696: Fix bug 4918 reported by Matthias Wallnöfer <mwallnoefer@yahoo.de>
with a patch from Andrew Kroeger <andrew@sprocks.gotdns.com>.

The changes to samldb_fill_foreignSecurityPrincipal_object() look much
larger then they are: We just skip all the objectSid generation if the
SID is supplied.

By providing a few more objects, standard dialogs on the clients are
better behaved, for these 'well known' users.

Andrew Bartlett
(This used to be commit 35ee4aee71)
2007-10-10 15:02:48 -05:00
Andrew Bartlett
ebce7a586b r24694: Remove objectCategory entries from the setup templates. These can be
autogenerated by the objectclass module when the the entries are
added.

Andrew Bartlett
(This used to be commit 79e13349f0)
2007-10-10 15:02:48 -05:00
Andrew Bartlett
967866f170 r23720: Allow the member server to work against an LDAP Backend. Another case
where LDB isn't as strict as OpenLDAP, the self join record contains
duplicate servicePrincipalNames once the DNS name and domain name are
made equal.  (Easier to just skip the useless self-join).

Andrew Bartlett
(This used to be commit 49ff929be6)
2007-10-10 14:59:08 -05:00
Stefan Metzmacher
8f0a0ebcb3 r20557: use ${DOMAINDN} instead of ${BASEDN}
metze
(This used to be commit 2a6e6a2695)
2007-10-10 14:36:56 -05:00
Stefan Metzmacher
8b70764038 r20553: add ${CONFIGDN} and ${SCHEMADN} instead of using hardcoded paths
under ${BASEDN}

metze
(This used to be commit 09ca6aae12)
2007-10-10 14:36:54 -05:00
Andrew Bartlett
2b99336a56 r17876: Require one less patch for the LDAP backend to work.
This lets the modules or backend generate the host and domain GUID,
rather than the randguid() function.  These can still be specified
from the command line.

Andrew Bartlett
(This used to be commit 32996ca9d6)
2007-10-10 14:16:50 -05:00
Andrew Bartlett
f77c410084 r16264: Add, but do not yet enable, the partitions module.
This required changes to the rootDSE module, to allow registration of
partitions.  In doing so I renamed the 'register' operation to
'register_control' and 'register_partition', which changed a few more
modules.

Due to the behaviour of certain LDAP servers, we create the baseDN
entry in two parts: Firstly, we allow the admin to export a simple
LDIF file to add to their server.  Then we perform a modify to add the
remaining attributes.

To delete all users in partitions, we must now search and delete all
objects in the partition, rather than a simple search from the root.
Against LDAP, this might not delete all objects, so we allow this to
fail.

In testing, we found that the 'Domain Controllers' container was
misnamed, and should be 'CN=', rather than 'OU='.

To avoid the Templates being found in default searches, they have been
moved to CN=Templates from CN=Templates,${BASEDN}.

Andrew Bartlett
(This used to be commit b49a4fbb57)
2007-10-10 14:09:09 -05:00
Andrew Bartlett
5f44da36e7 r16166: Remove hexidecimal constants from the Samba4 provision files.
This change is required for compatibility with the OSX client, in
particular, but returning 0x80000002 rather than -2147483646 violates
what LDAP clients expect in general.

Andrew Bartlett
(This used to be commit 81f3cd1c45)
2007-10-10 14:09:03 -05:00
Andrew Bartlett
acd190d8f6 r14200: Now we have real USN support, don't force the values in the provision
scripts.

This tests the real module, and avoids duplication.

Andrew Bartlett
(This used to be commit 0859ba59ae)
2007-10-10 13:56:59 -05:00
Andrew Tridgell
0fb2e148d1 r13097: move the creation of the default sam name -> unix name mappings into
the main provision logic, so it can also be used as part of the
vampire process
(This used to be commit 95e90169f4)
2007-10-10 13:51:24 -05:00
Andrew Bartlett
c96b572386 r12943: Generate a SID for the domain join account using the modules, rather
than a hardcoded SID.

Fix the samldb module to return the what *was* the nextrid, rather
than the new nextrid (that is for next time).

Andrew Bartlett
(This used to be commit ffe9042e15)
2007-10-10 13:51:11 -05:00
Andrew Bartlett
4bfe2907e7 r12719: Rename unicodePwd -> sambaPassword.
Because we don't know the syntax of unicodePwd, we want to avoid using
that attribute name.  It may cause problems later when we get
replication form windows.

I'm doing this before the tech preview, so we don't get too many
supprises as folks upgrade databases into later versions.

Andrew Bartlett
(This used to be commit 097d9d0b7f)
2007-10-10 13:49:45 -05:00
Andrew Bartlett
5c03e1b46e r12630: Remove attributes which should be automaticly generated.
This fixes a problem I had with kpasswd, as the account had 'expired'
due to the old pwdLastSet, hardcoded in the ldif.

Andrew Bartlett
(This used to be commit 1a9992e56a)
2007-10-10 13:49:09 -05:00
Andrew Bartlett
1c027f35d7 r12598: Make the 'objectClass' part of the templating process actually work.
We need to add to the multivalued objectClass, not ignore it because
the user has already specified a value.

Also rename the template again.

This was caught by more stringent tests in the unicodePwd module, but
breaks MMC.  A later commit will sort the objectClass.

Andrew Bartlett
(This used to be commit 0aaff059ba)
2007-10-10 13:49:01 -05:00