IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
As this test doesn't delete the user accounts at the end,
we should use test specific user names. That lowers the
chance of conflicts with other tests.
metze
Make it possible to provision a domain with a given next rid counter.
This will be useful for upgrades, where we want to import users
with already given SIDs.
metze
On Windows dcpromo imports nextRid from the local SAM,
which means it's not hardcoded to 1000.
The initlal rIDAvailablePool starts at nextRid + 100.
I also found that the RID Set of the local dc
should be created via provision and not at runtime,
when the first rid is needed.
(Tested with dcpromo on w2k8r2, while disabling the DNS
check box).
After provision we should have this (assuming nextRid=1000):
rIDAllocationPool: 1100-1599
rIDPrevAllocationPool: 1100-1599
rIDUsedPool: 0
rIDNextRID: 1100
rIDAvailablePool: 1600-1073741823
Because provision sets rIDNextRid=1100, the first created account
(typically DNS related accounts) will get 1101 as rid!
metze
This control will allow the linked_attributes module to know if
repl_meta_data has already handled the creation of forward and back
links.
Andrew Bartlett
When adding an additional DC as a GC server, the new DC attempts to register its
own gc._msdcs records. If the existing gc._msdcs record is a CNAME, BIND fails
the update with the message "attempt to add non-CNAME alongside CNAME ignored",
and the new DC is not registered as a GC server.
The A & AAAA record types for gc._msdcs have been verified against the DNS
server of a W2K8 DC.
- Add a new control for getting status informations (domain informations,
password change status) directly from the module
- Add a new control for allowing direct hash changes
- Introduce an addtional control "change_old password checked" for the password
This is rather than rdn_name, which tries to do the job on the client
side. We need to leave this module in the stack for Fedora DS (and of
course the LDB backend).
Andrew Bartlett
With the OpenLDAP backend, the old DB_CONFIG caused OpenLDAP to abort
on startup, and was very inefficient. This new one, kindly supplied
by Matthew Backes <mbackes@symas.com> uses a more reasonable set of
buffer sizes.
Andrew Bartlett
It is no longer needed to hard code ACL for GPO object as we have now code
that calculate ACL from defaultSecurityDescriptor and inheritance correctly.
In fact the resulting ACL returned by this hard coded value is a bit wrong as
some ACE are duplicated.
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
The backtraces were too confusing for our users, and didn't tell them
what to do to fix the problem. By printing the string (rather than a
backtrace), and including in the error what to do, and what file to
remove, we give them a chance.
Andrew Bartlett
The named.conf.update file will be filled in at runtime by Samba to
contain the list of bind9 grant rules for granting DNS dynamic update
permissions on the domain.
This allows the permissions to be correctly set for bind to write to
a journal file. It also sets the right group ownership and permissions
on the files that bind needs to access.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
For some reason, JHT keeps on creating an empty smb.conf file,
expecting it to be the same as a non-existant one. It is easier to
just realise what he meant.
Andrew Bartlett
The schema from WSPP had a number of typos that prevented it from
working. These changes allow it to work with Samba, and allow w2k8r2
to run DCPROMO against Samba successfully
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This will be called by getncchanges when a client asks for a
DRSUAPI_EXOP_FSMO_RID_ALLOC operation
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
We now create it automatically in the samldb module when the first
user is created.
The creation of the dns user also had to move to the _modify.ldif as
it now relies on the fSMO role being setup for the RID Manager
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
We can't allocate a objectSID until we have rIDSetReferences, but that
is in the DC object, so we have to force the objectSID of the DC
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
- Revert change in "ask" - was previously correct
- Readd accidentally removed checks for non-null realm and domainname
- On interactive mode perform only one "ask" call per question
- Inform the user about the unset administrator password
- reserve a new Samba OID for recalculate SD control
- fix the update SD function
- fix handling of kvno in the update_machine_account_password function
- fix handling of handles in RPC winreg server
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This makes getting the module order correct, the obligation of Samba4
developers, and not system administrators. In particular, once an ldb
is updated to use only the 'samba_dsdb' module, no further changes to the
ldb should be required when upgrading to later Samba4 versions.
(thanks to metze for the suggestion of samba_dsdb as a long-term
stable name for the module)
Andrew Bartlett
This makes the member server much more like the DC, the objectGUID
module replaces the repl_meta_data module.
We also generally rework the construction of the list, building a full
list in python, and then transforming it into a string, rather than
playing string concatonation games
Andrew Bartlett
The schema needs to be loaded above the extended_dn_out modules as
otherwise we don't get an extended DN in the search results.
The reference split is to ensure we create references after the
objects they reference exist.
Andrew Bartlett
These flags, also on dsdb_module_search_dn() allow us to add commonly
set controls to this pre-packaged blocking search, without rebuilding
the whole function in each caller.
Andrew Bartlett
- Cleans it up from unnecessary "lower()/upper()" and parameters which can be
derived through "lp" calls.
- Substitute the "HOSTNAME" caption in the "smb.conf" templates with
"NETBIOS_NAME" which fits better.
- Now the "realm" and "domain" parameter of the provision are totally case
insensitive and the script itself up/downcases them appropriately depending
on the use (e.g. "realm" upcase for KERBEROS, lowcase for DNS domainname).
This is done by passing an extended operation to the partitions module
to extend the @PARTITION record and to extend the in-memory list of
partitions.
This also splits things up into module parts that belong above and below
repl_meta_data
Also slit the partitions module into two files due to the complexity
of the code
Andrew Barltett
When FDS is used as a backend, Samba should not use the
linked_attributes LDB module, but instead use the built-in
DS plugins for attribute linking, indexing, and referential
integrity.
This was a bad idea all along, as Simo said at the time. With the
full MS schema and enforcement of it, it is an even worse idea.
This fixes the provision of the member server in 'make test'
Andrew Bartlett
Give the possibility to specify controls when loading ldif files.
Relax control is specified by default for all ldb_add_diff (request Andrew B).
Set domainguid if specified at the creation of object instead of modifying afterward
Allow to specify objectGUID for NTDS object of the first DC this option is used during provision upgrade.
- Improve the error handling according to Jelmer's suggestions
- Print out the error messages on "stderr"
- Add also here the "choice" type for arguments
When adding a W2K8 DC to a domain running earlier DC versions, the "adprep"
utility is used to perform schema updates and update other attributes as
necessary.
Adding these entries provides an indication that the adprep utility has been run
with the /forestprep, /domainprep and /rodcprep arguments. Although these
entries indicate adprep has been run, nothing has been done to verify that the
changes that the adprep utility would have made have actually been done.
The values used for the revision atttributes are as seen on a W2K8 DC (not
W2K8 R2, which will probably have higher values).
- We support domain/forest function levels >= (Windows) 2003 Native -> adapt the
domain/forest and DC function level restrictions.
- Consider also the lowest function level of a DC. The domain and forest function
levels can never be higher than it.
- Improve the error handling by printing out messages to "stderr"
- Introduce the "choice" type for choice arguments (saves us some error handling)
I removed it since on some scripts it was present, on others not - so I thought
it wouldn't be really needed. This was a bad decision (pointed out by abartlet).
So I reintroduce it on all scripts (to have consistent parameters).
The second "nTMixedDomain" attribute (under Partitions/Domain-DN) is only a
copy of the one under the directory root object. Therefore there doesn't exist
the "Windows 2000 Mixed" forest level.
I reread some docs about this attributes and it seems that this as mapping
attribute isn't host specific but in common for the whole domain. To allow
Windows DCs to join our s4 domain sooner or later we have to provide the full
attribute.
- The tool displays now also mixed/interim domain levels and warns about them
(s4 isn't capable to run on them)
- But it allows now also to raise/step-up from them
- It displays now also levels higher than 2008 R2 (altough we don't support them
yet) but to be able to get a correct output
I had to think about how to encode the string 0x0001 (taken from Windows Server).
The problem is due to the "0" byte at the beginning of it. BASE64 encoding
seems a good method to do it.
- I removed also the "-H" parameter since those scripts are all thought for the
use on a local s4 domain controller. Another reason is also the bind as SYSTEM
account which itself is only possible on local binds.
- This unified the shape of those four scripts (comments, command sequence, call
of SamDB)
- To consider the samdb.py changes regarding the filter: there is now always the
possibility either to specify the username or the search filter
This simple script allows raising the domain and/or forest level for s4.
I integrated also the basic checks (since we don't perform them in LDB yet):
e.g. the forest level can't be higher than the domain level(s).
