Uri Simchoni [Tue, 5 Dec 2017 18:56:49 +0000 (20:56 +0200)]
sysacls: change datatypes to 32 bits
The SMB_ACL_PERMSET_T and SMB_ACL_PERM_T were defined as
mode_t, which is 16-bits on some (non-Linux) systems. However,
pidl *always* encodes mode_t as uint32_t. That created a bug on
big-endian systems as sys_acl_get_permset() returns a SMB_ACL_PERMSET_T
pointer to an internal a_perm structure member defined in IDL as a mode_t,
which pidl turns into a uin32_t in the emitted header file.
Uri Simchoni [Tue, 5 Dec 2017 18:49:03 +0000 (20:49 +0200)]
pysmbd: fix use of sysacl API
Fix pysmbd to use the sysacl (POSIX ACL support) as intended, and
not assume too much about the inner structure and implementation
of the permissions in the sysacl API.
This will allow the inner structure to change in a following commit.
Andrew Bartlett [Wed, 20 Dec 2017 23:07:46 +0000 (12:07 +1300)]
samba-tool domain schemaupgrade: Avoid reindex after every hunk
This takes advantage of the fact that a single LDB operation is atomic
even inside our transaction and so we can retry it after updating the
schema.
This makes the smaba-tool domain schemaupgrade take 1m30s compared with 4m4s.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Dec 21 08:28:51 CET 2017 on sn-devel-144
Garming Sam [Sun, 17 Dec 2017 23:45:02 +0000 (12:45 +1300)]
ldapcmp: Improve the difference checker of ldapcmp for 2012 R2
There are a number of new attributes which may be considered DNs.
Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Garming Sam <garming@samba.org>
Autobuild-Date(master): Thu Dec 21 03:41:19 CET 2017 on sn-devel-144
Garming Sam [Tue, 12 Dec 2017 23:09:02 +0000 (12:09 +1300)]
forest_update: Allow the script to add the missing forest containers
Before we set the prep level higher in default provisions, we should add
these objects to the initial ldif (so that our initial ldif represents a
full 2008R2 domain which we build consistently on).
Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Fri, 24 Nov 2017 03:26:52 +0000 (16:26 +1300)]
Forest-Wide-Updates.md: Include the description of forest wide updates
This is sourced from the WindowsServerDocs repository on Github under an
MIT/CC 4.0 attribution license. A huge thanks is required for these
being provided and the work done in the process, as they mean a lot less
work for us to repeat.
Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
g_lock: fix cleanup of stale entries in g_lock_trylock()
g_lock_trylock() always incremented the counter 'i', even after cleaning a stale
entry at position 'i', which means it skipped checking for a conflict against
the new entry at position 'i'.
As result a process could get a write lock, while there're still
some read lock holders. Once we get into that problem, also more than
one write lock are possible.
Jamie McClymont [Fri, 8 Dec 2017 02:20:36 +0000 (15:20 +1300)]
selftest: replace global with explicit environment variables
This patch removes setting of NSS_WRAPPER and RESOLV_WRAPPER variables globally
in Samba3.pm (because setting them persistently/globally can create hidden
ordering dependencies). Instead, they are set on subprocesses as required, which
appears to be the following two places (aside from those places where they are
already set explicitly):
* calls to createuser in provision
* calls to wbinfo --ping-dc in wait_for_start
Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Dec 20 08:50:26 CET 2017 on sn-devel-144
Jamie McClymont [Fri, 8 Dec 2017 01:47:09 +0000 (14:47 +1300)]
selftest: apply NSS_WRAPPER_HOSTNAME to child processes
Currently, Samba3.pm returns a value for NSS_WRAPPER_HOSTNAME in provision, but
selftest.pl does not apply it, so Samba3.pm /also/ sets it in its own
environment. This breaks a command like this:
make test TESTS="samba3.blackbox.smbclient_ntlm.plain samba3.rpc.samba3.netlogon"
... since samba3.blackbox.smbclient_ntlm.plain runs in an nt4_member env,
thereby setting ENV{NSS_WRAPPER_HOSTNAME} to the value for a member, and
samba3.rpc.samba3.netlogon depended on NSS_WRAPPER_HOSTNAME as a username (until
previous commit).
Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jamie McClymont [Tue, 5 Dec 2017 23:49:48 +0000 (12:49 +1300)]
selftest: fix samba3.rpc.samba3.netlogon running after an nt4_member test
samba3.rpc.samba3.netlogon is using get_myname to find a username with which to
perform a join. This means that the test tries to join with the existing
localnt4dc2 user, which happens to work if get_myname is working
correctly (which it isn't -- see next commit about NSS_WRAPPER_HOSTNAME!)
This commit fixes a test run with, for example:
TESTS="samba3.blackbox.smbclient_ntlm.plain samba3.rpc.samba3.netlogon"
(given samba3.blackbox.smbclient_ntlm.plain is in the nt4_member env)
...which previously failed due to the combination of this and the
NSS_WRAPPER_HOSTNAME bug.
Signed-off-by: Jamie McClymont <jamiemcclymont@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 18 Dec 2017 03:22:01 +0000 (16:22 +1300)]
ldb: Intersect the index from SCOPE_ONELEVEL with the index for the search expression
This helps ensure we do not have to scan all objects at this level
which could be very many (one per DNS zone entry).
However, due to the O(n*m) behaviour in list_intersect() for older
databases, we only do this in the GUID index mode, leaving the behaviour
unchanged for existing callers that do not specify the GUID index mode.
NOTE WELL: the behaviour of disallowDNFilter is enforced
in the index code, so this fixes SCOPE_ONELEVEL to also
honour disallowDNFilter, hence the additional tests.
The change to select the SUBTREE index in the absense of
the ONELEVEL index enforces this.
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Dec 20 04:21:51 CET 2017 on sn-devel-144
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Dec 19 11:24:29 CET 2017 on sn-devel-144
Andrew Bartlett [Thu, 14 Dec 2017 23:30:50 +0000 (12:30 +1300)]
dns_server: Do the exact match query first, then do the wildcard lookup
The wildcard lookup is SCOPE_ONELEVEL combined with an index on the name
attribute. This is not as efficient as a base DN lookup, so we try for
that first.
A not-found and wildcard response will still fall back to the ONELEVEL
index.
Christof Schmitt [Mon, 18 Dec 2017 19:54:40 +0000 (12:54 -0700)]
winbind: Fix backslash in format string
Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Dec 19 07:18:58 CET 2017 on sn-devel-144
The comparison result has been ignored, which is not good. Also remove
the "ldbsearch" command in the error branch which has not much sense.
The scripts needs to be run through test-tdb.sh, test-ldap.sh or
test-sqlite3.sh which I didn't realise before. Hence less changes are needed
and this is a reduced version of the patch published on the mailing list.
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date(master): Tue Dec 19 03:09:12 CET 2017 on sn-devel-144
Christof Schmitt [Fri, 15 Dec 2017 22:32:12 +0000 (15:32 -0700)]
vfs: Use static_decl_vfs in all VFS modules
Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Dec 18 13:32:00 CET 2017 on sn-devel-144
Gary Lockyer [Sun, 10 Dec 2017 21:03:45 +0000 (10:03 +1300)]
source4/lib/socket/socket_ip.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Dec 18 08:49:57 CET 2017 on sn-devel-144
Gary Lockyer [Sun, 10 Dec 2017 20:58:59 +0000 (09:58 +1300)]
source3/winbindd/winbindd.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Sun, 10 Dec 2017 20:57:04 +0000 (09:57 +1300)]
source3/utils/smbfilter.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Sun, 10 Dec 2017 20:54:34 +0000 (09:54 +1300)]
source3/libsmb/unexpected.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Sun, 10 Dec 2017 20:51:35 +0000 (09:51 +1300)]
source3/smbd/server.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Sun, 10 Dec 2017 20:46:07 +0000 (09:46 +1300)]
source3/lib/server_prefork.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Sun, 10 Dec 2017 20:39:43 +0000 (09:39 +1300)]
source3/rpc_server/rpc_server.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Sun, 10 Dec 2017 20:37:28 +0000 (09:37 +1300)]
ctdb/tcp/tcp_connect.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Sun, 10 Dec 2017 20:36:08 +0000 (09:36 +1300)]
ctdb/server/ctdb_daemon.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Sun, 10 Dec 2017 20:31:33 +0000 (09:31 +1300)]
lib/async_req/async_sock.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Sun, 10 Dec 2017 20:17:49 +0000 (09:17 +1300)]
lib/tevent/echo_server.c set socket close on exec
Set SOCKET_CLOEXEC on the sockets returned by accept. This ensures that
the socket is unavailable to any child process created by system().
Making it harder for malicious code to set up a command channel,
as seen in the exploit for CVE-2015-0240
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Mon, 11 Dec 2017 21:49:05 +0000 (10:49 +1300)]
WHATSNEW: Encrypted secrets
Document the encrypted secrets feature in WHATSNEW.txt
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Dec 18 04:36:19 CET 2017 on sn-devel-144
Gary Lockyer [Thu, 14 Dec 2017 18:21:10 +0000 (07:21 +1300)]
dsdb encrypted secrets module
Encrypt the samba secret attributes on disk. This is intended to
mitigate the inadvertent disclosure of the sam.ldb file, and to mitigate
memory read attacks.
Currently the key file is stored in the same directory as sam.ldb but
this could be changed at a later date to use an HSM or similar mechanism
to protect the key.
Data is encrypted with AES 128 GCM. The encryption uses gnutls where
available and if it supports AES 128 GCM AEAD modes, otherwise nettle is
used.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Christof Schmitt [Wed, 13 Dec 2017 18:34:23 +0000 (11:34 -0700)]
smbd: Fix coredump on failing chdir during logoff
server_exit does an internal tree disconnect which requires a chdir to
the share directory. In case the file system encountered a problem and
the chdir call returns an error, this triggers a SERVER_EXIT_ABNORMAL
which in turn results in a panic and a coredump. As the log already
indicates the problem (chdir returned an error), avoid the
SERVER_EXIT_ABNORMAL in this case and not trigger a coredump.
Signed-off-by: Christof Schmitt <cs@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Dec 16 01:56:06 CET 2017 on sn-devel-144
This module allow injecting errors in vfs calls. It only implements one
case (return ESTALE from chdir), but the idea is to extend this to more
vfs functions and more errors when needed.
We also reduce the scope of the import so that python-markdown is only
required if interacting with 2012 code.
Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Dec 14 12:34:04 CET 2017 on sn-devel-144
Andrew Bartlett [Mon, 20 Nov 2017 04:10:25 +0000 (17:10 +1300)]
provision: Use the official MS 2008R2 schema by default
This fixes us to have the official adminDescription etc. While both schema were provided by
Microsoft this is a better quality one, but still under the same licence.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Garming Sam [Wed, 16 Aug 2017 04:02:32 +0000 (16:02 +1200)]
provision: RODC revision level should be at 2
This number had been mistakenly updated alongside the standard forest
updates revision. This version number appears to be independent of the
other revision levels.
Also add the change to a new .ldf file, which can be used to apply
the schema change to an existing Samba 4.7 (or earlier) instance.
Update the provision/upgrade test to do just this (otherwise it
complains about differences between a new provision and an older Samba
4.0.0 instance).
Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Tim Beale [Fri, 6 Oct 2017 03:30:40 +0000 (16:30 +1300)]
selftest: Add basic test for schema upgrade
This tests that we can provision using both the 2008 and 2012 schema,
that we can upgrade a 2008 Samba instance to use the 2012 schema, and
that when we do that the result (more or less) matches a straight
2012 provision.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Garming Sam [Wed, 27 Sep 2017 01:51:25 +0000 (14:51 +1300)]
schema: Some 2012 objects were missing systemflags
The adprep LDIF files were adding the systemFlags, but they weren't
present in the 2012 schema files. This is not just a Microsoft
documentation problem - the difference was present when doing a provision
of a 2012 Windows server vs using Adprep.exe to upgrade an older Windows
server.
Samba might as well use the correct systemFlags right from the start.
Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Tim Beale [Wed, 4 Oct 2017 21:01:27 +0000 (10:01 +1300)]
upgradeprovision: Change test to always use 2008 R2 schema
This tool (and the corresponding test) is designed to migrate a Samba DC
from a pre-4.0.0 release up to a more recent schema (i.e. Windows 2008R2).
Going further than 2008R2 turns this test into a bit of a nightmare. We
now have a better adprep/'samba-tool domain schemaupgrade' option for
upgrading from 2008R2 to a more recent schema.
It seems to make most sense to leave this tests just running against
2008R2 schema provisions and add new tests to migrate from 2008R2 to
2012R2.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Tim Beale [Wed, 4 Oct 2017 20:53:28 +0000 (09:53 +1300)]
domain.py: Add base-schema option to samba-tool provision
Allow a different base-schema to be used when provisioning a new domain.
This allows us to test the new 2012 schema without committing Samba to
using it by default.
If, in future, we change the default to use the 2012 schema, some
existing Samba tests (like upgradeprovision) rely on the 2012 schema.
So making the base-schema optional allows these tests to continue using
the older schema.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Tim Beale [Tue, 3 Oct 2017 23:30:59 +0000 (12:30 +1300)]
schema: Add option of specifying the base schema for a provision
Add the ability to override the base schema files being used for the
new provision, e.g. instead of using the default supported schema,
the code can now potentially specify an older or newer schema to use.
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Tue, 12 Dec 2017 02:26:35 +0000 (15:26 +1300)]
selftest: Fix upgradeprovision test by importing new objects for schema 45
The recent schema changes mean that the upgradeprovision test starts
failing. This is because it's using an old 4.0.0 schema (that doesn't
have these schema changes), but it's comparing it against a fresh
provision (which does have the changes). We can avoid this failure by
using the 'samba-tool domain schemaupgrade' to bring the old 4.0.0 schema
in line with a fresh provision. Note that the 'upgradeprovision --full'
test doesn't need this change as it seems to more aggressively copy over
any schema differences with a fresh provision.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Tue, 12 Dec 2017 02:20:26 +0000 (15:20 +1300)]
2008R2: Missing flags on optional features container for objectVersion 45
To match Windows 2008R2, this should have the same flags as the
recycle bin enabled feature.
Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Wed, 13 Dec 2017 02:03:57 +0000 (15:03 +1300)]
2008R2: Missing extended rights for objectVersion 45
We appear to have been missing some extended rights from 2008R2. These were
added in samba by the extended-rights.ldif
On Windows this was in Sch45.ldf (triggered by adprep schema updates).
We add these changes to adprep/samba-4.7-missing-for-schema-45.ldif,
which can be used to apply the changes to an existing Samba instance.
This is not extracted from the Sch45.ldf file provided by Microsoft
but is instead extracted using ldapcmp against a Samba install running
the new extended-rights.ldif.
Finally, these schema changes mean that the upgradeprovision test starts
failing. This is because it's using an old 4.0.0 schema (that doesn't
have these schema changes), but it's comparing it against a fresh
provision (which does have the changes). We can avoid this failure by
using the 'samba-tool domain schemaupgrade' to bring the old 4.0.0 schema
in line with a fresh provision. Note that the 'upgradeprovision --full'
test doesn't need this change as it seems to more aggressively copy over
any schema differences with a fresh provision.
Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Mon, 11 Dec 2017 01:42:55 +0000 (14:42 +1300)]
schema: Re-work extended rights handling in provision (prep for 2012R2)
Add the changes needed to provision a 2012 DC (mostly this just affects
the Extended Rights objects) by moving to the new extended-rights.ldif
The localizationDisplayId is not documented in MS-ATDS so these values
are moved to provision_configuation_modify.ldif and applied after the
display-specifiers.ldif
We don't enable the 2012R2 mode yet. The ${INC2012} variable
just gets replaced with '#' so the lines get commented out and not
applied.
This approach allows us to support provisioning both a 2008R2 DC or
a 2012R2 DC (so that we can test we can upgrade a 2008 DC to 2012).
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Andrew Bartlett [Sun, 10 Dec 2017 22:09:51 +0000 (11:09 +1300)]
provision: Reformat appliesTo in Extended Rights into LDIF
We remove comments about Schema 45 and earlier as this is the base
level that Samba supports. A future commit will move to a
machine-parsable flag for the 2012 schema and remove the 2016 elements.
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
projects / thirdparty / samba.git / log
