[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Sat Jun 26 02:50:20 MDT 2010
The branch, master has been updated
via 50da834... s4:provision: add entries for root dns servers
via 6ab234c... s4:provision: move Samba4 specific DNS stuff to its own file
via c6b2193... s4:provision: add --next-rid option
via 7905901... s4:dsdb/ridalloc: add comment about windows behavior regarding rIDUsedPool
via 712a149... s4:provision: don't use hardcoded values for 'nextRid' and 'rIDAvailablePool'
via 89f94a4... s4:provision: pass relax control also to modify_ldif
from 2f7fe9d... s4/net-drs: Fix error messages typo and formatting
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 50da834f136e4ed2f1bd29b0e1b12c941f933c7c
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 25 15:10:32 2010 +0200
s4:provision: add entries for root dns servers
metze
commit 6ab234cec9e1ed13ffd5d2d117417f7dd71c44f1
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 25 13:32:39 2010 +0200
s4:provision: move Samba4 specific DNS stuff to its own file
metze
commit c6b21931c6574322c8740f1a67f9125437c42c0d
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 25 14:01:21 2010 +0200
s4:provision: add --next-rid option
Make it possible to provision a domain with a given next rid counter.
This will be useful for upgrades, where we want to import users
with already given SIDs.
metze
commit 7905901bc018ec91c69368dedd906c1cf89103f3
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 25 12:47:34 2010 +0200
s4:dsdb/ridalloc: add comment about windows behavior regarding rIDUsedPool
metze
commit 712a149802e9613f105861e838a29bb226e62e02
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 25 11:11:56 2010 +0200
s4:provision: don't use hardcoded values for 'nextRid' and 'rIDAvailablePool'
On Windows dcpromo imports nextRid from the local SAM,
which means it's not hardcoded to 1000.
The initlal rIDAvailablePool starts at nextRid + 100.
I also found that the RID Set of the local dc
should be created via provision and not at runtime,
when the first rid is needed.
(Tested with dcpromo on w2k8r2, while disabling the DNS
check box).
After provision we should have this (assuming nextRid=1000):
rIDAllocationPool: 1100-1599
rIDPrevAllocationPool: 1100-1599
rIDUsedPool: 0
rIDNextRID: 1100
rIDAvailablePool: 1600-1073741823
Because provision sets rIDNextRid=1100, the first created account
(typically DNS related accounts) will get 1101 as rid!
metze
commit 89f94a43d89c9c0238f7b1d3d294175f8482adf9
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 25 12:27:27 2010 +0200
s4:provision: pass relax control also to modify_ldif
metze
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/samdb/ldb_modules/ridalloc.c | 7 ++-
source4/scripting/python/samba/provision.py | 40 ++++++++--
source4/setup/provision | 4 +-
source4/setup/provision.ldif | 7 +--
source4/setup/provision_basedn_modify.ldif | 2 +-
source4/setup/provision_dns_add.ldif | 103 +++++++++++++++++++++++++
source4/setup/provision_self_join.ldif | 2 +-
source4/setup/provision_self_join_modify.ldif | 25 +++----
8 files changed, 158 insertions(+), 32 deletions(-)
create mode 100644 source4/setup/provision_dns_add.ldif
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/ridalloc.c b/source4/dsdb/samdb/ldb_modules/ridalloc.c
index e54d6b4..6fc04fd 100644
--- a/source4/dsdb/samdb/ldb_modules/ridalloc.c
+++ b/source4/dsdb/samdb/ldb_modules/ridalloc.c
@@ -491,7 +491,12 @@ int ridalloc_allocate_rid(struct ldb_module *module, uint32_t *rid)
prev_alloc_pool_lo = prev_alloc_pool & 0xFFFFFFFF;
prev_alloc_pool_hi = prev_alloc_pool >> 32;
- /* update the rIDUsedPool attribute */
+ /*
+ * update the rIDUsedPool attribute
+ *
+ * Note: w2k8r2 doesn't update this attribute,
+ * at least if it's itself the rid master.
+ */
ret = dsdb_module_set_integer(module, rid_set_dn, "rIDUsedPool", rid_used_pool+1);
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb, __location__ ": Failed to update rIDUsedPool on %s - %s",
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index a3ff891..84045da 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -344,7 +344,7 @@ def setup_add_ldif(ldb, ldif_path, subst_vars=None,controls=["relax:0"]):
ldb.add_ldif(data, controls)
-def setup_modify_ldif(ldb, ldif_path, subst_vars=None):
+def setup_modify_ldif(ldb, ldif_path, subst_vars=None,controls=["relax:0"]):
"""Modify a ldb in the private dir.
:param ldb: LDB object.
@@ -352,7 +352,7 @@ def setup_modify_ldif(ldb, ldif_path, subst_vars=None):
:param subst_vars: Optional dictionary with substitution variables.
"""
data = read_and_sub_file(ldif_path, subst_vars)
- ldb.modify_ldif(data)
+ ldb.modify_ldif(data, controls)
def setup_ldb(ldb, ldif_path, subst_vars):
@@ -868,7 +868,7 @@ def setup_samdb_rootdse(samdb, setup_path, names):
def setup_self_join(samdb, names,
machinepass, dnspass,
- domainsid, invocationid, setup_path,
+ domainsid, next_rid, invocationid, setup_path,
policyguid, policyguid_dc, domainControllerFunctionality,
ntdsguid):
"""Join a host to its own domain."""
@@ -890,6 +890,7 @@ def setup_self_join(samdb, names,
"REALM": names.realm,
"DOMAIN": names.domain,
"DOMAINSID": str(domainsid),
+ "DCRID": str(next_rid),
"DNSDOMAIN": names.dnsdomain,
"SAMBA_VERSION_STRING": version,
"NTDSGUID": ntdsguid_line,
@@ -919,6 +920,15 @@ def setup_self_join(samdb, names,
"SERVERDN": names.serverdn,
"NETBIOSNAME": names.netbiosname,
"NTDSGUID": names.ntdsguid,
+ "RIDALLOCATIONSTART": str(next_rid + 100),
+ "RIDALLOCATIONEND": str(next_rid + 100 + 499),
+ })
+
+ # This is Samba4 specific and should be replacted by the correct
+ # DNS AD-style setup
+ setup_add_ldif(samdb, setup_path("provision_dns_add.ldif"), {
+ "DNSDOMAIN": names.dnsdomain,
+ "DOMAINDN": names.domaindn,
"DNSPASS_B64": b64encode(dnspass),
})
@@ -947,12 +957,22 @@ def setup_gpo(sysvolpath, dnsdomain, policyguid, policyguid_dc):
def setup_samdb(path, setup_path, session_info, provision_backend, lp, names,
logger, domainsid, domainguid, policyguid, policyguid_dc, fill,
adminpass, krbtgtpass, machinepass, invocationid, dnspass, ntdsguid,
- serverrole, am_rodc=False, dom_for_fun_level=None, schema=None):
+ serverrole, am_rodc=False, dom_for_fun_level=None, schema=None,
+ next_rid=1000):
"""Setup a complete SAM Database.
:note: This will wipe the main SAM database file!
"""
+
+ # Provision does not make much sense values larger than 1000000000
+ # as the upper range of the rIDAvailablePool is 1073741823 and
+ # we don't want to create a domain that cannot allocate rids.
+ if next_rid < 1000 or next_rid > 1000000000:
+ error = "You want to run SAMBA 4 with a next_rid of %u, " % (next_rid)
+ error += "the valid range is %u-%u. The default is %u." % (1000, 1000000000, 1000)
+ raise ProvisioningError(error)
+
# ATTENTION: Do NOT change these default values without discussion with the
# team and/or release manager. They have a big impact on the whole program!
domainControllerFunctionality = DS_DOMAIN_FUNCTION_2008_R2
@@ -1027,6 +1047,7 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, names,
setup_modify_ldif(samdb, setup_path("provision_basedn_modify.ldif"), {
"CREATTIME": str(int(time.time() * 1e7)), # seconds -> ticks
"DOMAINSID": str(domainsid),
+ "NEXTRID": str(next_rid),
"SCHEMADN": names.schemadn,
"NETBIOSNAME": names.netbiosname,
"DEFAULTSITE": names.sitename,
@@ -1109,6 +1130,7 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, names,
"DEFAULTSITE": names.sitename,
"CONFIGDN": names.configdn,
"SERVERDN": names.serverdn,
+ "RIDAVAILABLESTART": str(next_rid + 600),
"POLICYGUID_DC": policyguid_dc
})
@@ -1132,7 +1154,9 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, names,
setup_self_join(samdb, names=names, invocationid=invocationid,
dnspass=dnspass,
machinepass=machinepass,
- domainsid=domainsid, policyguid=policyguid,
+ domainsid=domainsid,
+ next_rid=next_rid,
+ policyguid=policyguid,
policyguid_dc=policyguid_dc,
setup_path=setup_path,
domainControllerFunctionality=domainControllerFunctionality,
@@ -1208,7 +1232,8 @@ def provision(setup_dir, logger, session_info,
rootdn=None, domaindn=None, schemadn=None, configdn=None,
serverdn=None,
domain=None, hostname=None, hostip=None, hostip6=None,
- domainsid=None, adminpass=None, ldapadminpass=None,
+ domainsid=None, next_rid=1000,
+ adminpass=None, ldapadminpass=None,
krbtgtpass=None, domainguid=None,
policyguid=None, policyguid_dc=None, invocationid=None,
machinepass=None, ntdsguid=None,
@@ -1428,7 +1453,8 @@ def provision(setup_dir, logger, session_info,
invocationid=invocationid,
machinepass=machinepass, dnspass=dnspass,
ntdsguid=ntdsguid, serverrole=serverrole,
- dom_for_fun_level=dom_for_fun_level, am_rodc=am_rodc)
+ dom_for_fun_level=dom_for_fun_level,
+ am_rodc=am_rodc, next_rid=next_rid)
if serverrole == "domain controller":
if paths.netlogon is None:
diff --git a/source4/setup/provision b/source4/setup/provision
index 264245a..e127ac8 100755
--- a/source4/setup/provision
+++ b/source4/setup/provision
@@ -107,6 +107,8 @@ parser.add_option("--server-role", type="choice", metavar="ROLE",
parser.add_option("--function-level", type="choice", metavar="FOR-FUN-LEVEL",
choices=["2000", "2003", "2008", "2008_R2"],
help="The domain and forest function level (2003 | 2008 | 2008_R2). Default is (Windows) 2003 (Native).")
+parser.add_option("--next-rid", type="int", metavar="NEXTRID", default=1000,
+ help="The initial nextRid value (only needed for upgrades). Default is 1000.")
parser.add_option("--partitions-only",
help="Configure Samba's partitions, but do not modify them (ie, join a BDC)", action="store_true")
parser.add_option("--targetdir", type="string", metavar="DIR",
@@ -253,7 +255,7 @@ try:
ldapadminpass=opts.ldapadminpass, ol_mmr_urls=opts.ol_mmr_urls,
slapd_path=opts.slapd_path, setup_ds_path=opts.setup_ds_path,
nosync=opts.nosync, ldap_dryrun_mode=opts.ldap_dryrun_mode,
- useeadb=eadb)
+ useeadb=eadb, next_rid=opts.next_rid)
except ProvisioningError, e:
print str(e)
exit(1)
diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif
index 7ba3183..2db01f9 100644
--- a/source4/setup/provision.ldif
+++ b/source4/setup/provision.ldif
@@ -780,11 +780,6 @@ objectClass: top
objectClass: container
isCriticalSystemObject: TRUE
-dn: CN=MicrosoftDNS,CN=System,${DOMAINDN}
-objectClass: top
-objectClass: container
-displayName: DNS Servers
-
dn: CN=Password Settings Container,CN=System,${DOMAINDN}
objectClass: top
objectClass: msDS-PasswordSettingsContainer
@@ -809,7 +804,7 @@ dn: CN=RID Manager$,CN=System,${DOMAINDN}
objectClass: top
objectClass: rIDManager
systemFlags: -1946157056
-rIDAvailablePool: 1001-1073741823
+rIDAvailablePool: ${RIDAVAILABLESTART}-1073741823
isCriticalSystemObject: TRUE
dn: CN=RpcServices,CN=System,${DOMAINDN}
diff --git a/source4/setup/provision_basedn_modify.ldif b/source4/setup/provision_basedn_modify.ldif
index 1d5345c..b4f3016 100644
--- a/source4/setup/provision_basedn_modify.ldif
+++ b/source4/setup/provision_basedn_modify.ldif
@@ -68,7 +68,7 @@ replace: msDS-PerUserTrustTombstonesQuota
msDS-PerUserTrustTombstonesQuota: 10
-
replace: nextRid
-nextRid: 1000
+nextRid: ${NEXTRID}
-
replace: nTMixedDomain
nTMixedDomain: 0
diff --git a/source4/setup/provision_dns_add.ldif b/source4/setup/provision_dns_add.ldif
new file mode 100644
index 0000000..ac818a5
--- /dev/null
+++ b/source4/setup/provision_dns_add.ldif
@@ -0,0 +1,103 @@
+dn: CN=DnsAdmins,CN=Users,${DOMAINDN}
+objectClass: group
+description: DNS Administrators Group
+sAMAccountName: DnsAdmins
+groupType: -2147483644
+
+dn: CN=DnsUpdateProxy,CN=Users,${DOMAINDN}
+objectClass: group
+description: DNS clients who are permitted to perform dynamic updates on behal
+ f of some other clients (such as DHCP servers).
+sAMAccountName: DnsUpdateProxy
+groupType: -2147483646
+
+dn: CN=MicrosoftDNS,CN=System,${DOMAINDN}
+objectClass: container
+displayName: DNS Servers
+
+dn: DC=RootDNSServers,CN=MicrosoftDNS,CN=System,${DOMAINDN}
+objectClass: dnsZone
+
+dn: DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,${DOMAINDN}
+objectClass: dnsNode
+dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBagxyb290LXNlcnZlcnMDbmV0AA==
+dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBZAxyb290LXNlcnZlcnMDbmV0AA==
+dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBYgxyb290LXNlcnZlcnMDbmV0AA==
+dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBYQxyb290LXNlcnZlcnMDbmV0AA==
+dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBaQxyb290LXNlcnZlcnMDbmV0AA==
+dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBbAxyb290LXNlcnZlcnMDbmV0AA==
+dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBbQxyb290LXNlcnZlcnMDbmV0AA==
+dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBZwxyb290LXNlcnZlcnMDbmV0AA==
+dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBZQxyb290LXNlcnZlcnMDbmV0AA==
+dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBawxyb290LXNlcnZlcnMDbmV0AA==
+dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBZgxyb290LXNlcnZlcnMDbmV0AA==
+dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBYwxyb290LXNlcnZlcnMDbmV0AA==
+dnsRecord:: FgACAAUIAAAAAAAAAAAAAAAAAAAAAAAAFAMBaAxyb290LXNlcnZlcnMDbmV0AA==
+
+dn: DC=h.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,${DOMAINDN}
+objectClass: dnsNode
+dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAgD8CNQ==
+
+dn: DC=c.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,${DOMAINDN}
+objectClass: dnsNode
+dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwCEEDA==
+
+dn: DC=f.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,${DOMAINDN}
+objectClass: dnsNode
+dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwAUF8Q==
+
+dn: DC=k.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,${DOMAINDN}
+objectClass: dnsNode
+dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwQAOgQ==
+
+dn: DC=e.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,${DOMAINDN}
+objectClass: dnsNode
+dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwMvmCg==
+
+dn: DC=g.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,${DOMAINDN}
+objectClass: dnsNode
+dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwHAkBA==
+
+dn: DC=m.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,${DOMAINDN}
+objectClass: dnsNode
+dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAygwbIQ==
+
+dn: DC=l.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,${DOMAINDN}
+objectClass: dnsNode
+dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAxwdTKg==
+
+dn: DC=i.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,${DOMAINDN}
+objectClass: dnsNode
+dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwCSUEQ==
+
+dn: DC=a.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,${DOMAINDN}
+objectClass: dnsNode
+dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAxikABA==
+
+dn: DC=b.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,${DOMAINDN}
+objectClass: dnsNode
+dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwORPyQ==
+
+dn: DC=d.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,${DOMAINDN}
+objectClass: dnsNode
+dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAgAgKWg==
+
+dn: DC=j.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,${DOMAINDN}
+objectClass: dnsNode
+dnsRecord:: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwDqAHg==
+
+
+# NOTE: This account is SAMBA4 specific!
+dn: CN=dns,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+description: DNS Service Account
+userAccountControl: 514
+accountExpires: 9223372036854775807
+sAMAccountName: dns
+servicePrincipalName: DNS/${DNSDOMAIN}
+userPassword:: ${DNSPASS_B64}
+isCriticalSystemObject: TRUE
+
diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif
index d4d06f6..2530a0e 100644
--- a/source4/setup/provision_self_join.ldif
+++ b/source4/setup/provision_self_join.ldif
@@ -32,7 +32,7 @@ servicePrincipalName: ldap/${DNSNAME}
servicePrincipalName: ldap/${DNSNAME}/${REALM}
userAccountControl: 532480
userPassword:: ${MACHINEPASS_B64}
-objectSID: ${DOMAINSID}-1000
+objectSID: ${DOMAINSID}-${DCRID}
# Here are missing the objects for the NTFRS subscription since we don't
# support this technique yet.
diff --git a/source4/setup/provision_self_join_modify.ldif b/source4/setup/provision_self_join_modify.ldif
index f81a2b6..b667e5c 100644
--- a/source4/setup/provision_self_join_modify.ldif
+++ b/source4/setup/provision_self_join_modify.ldif
@@ -28,23 +28,18 @@ changetype: modify
replace: interSiteTopologyGenerator
interSiteTopologyGenerator: CN=NTDS Settings,${SERVERDN}
+dn: CN=RID Set,CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
+changetype: add
+objectClass: rIDSet
+rIDAllocationPool: ${RIDALLOCATIONSTART}-${RIDALLOCATIONEND}
+rIDPreviousAllocationPool: ${RIDALLOCATIONSTART}-${RIDALLOCATIONEND}
+rIDUsedPool: 0
+rIDNextRID: ${RIDALLOCATIONSTART}
+
dn: CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
changetype: modify
add: servicePrincipalName
servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/${NTDSGUID}/${DNSDOMAIN}
servicePrincipalName: ldap/${NTDSGUID}._msdcs.${DNSDOMAIN}
-
-# NOTE: This account is SAMBA4 specific!
-dn: CN=dns,CN=Users,${DOMAINDN}
-changetype: add
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: user
-description: DNS Service Account
-userAccountControl: 514
-accountExpires: 9223372036854775807
-sAMAccountName: dns
-servicePrincipalName: DNS/${DNSDOMAIN}
-userPassword:: ${DNSPASS_B64}
-isCriticalSystemObject: TRUE
+add: rIDSetReferences
+rIDSetReferences: CN=RID Set,CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
--
Samba Shared Repository
More information about the samba-cvs
mailing list