samba.git/source4/setup/provision_basedn_modify.ldif, branch talloc-2.4.2

samba-tool: validate password early in `domain provision`

2017-12-09T23:47:30+00:00

Checks password against default quality and length standards when it is entered,
allowing a second chance to enter one (if interactive), rather than running
through the provisioning process and bailing on an exception

Includes unit tests for the newly-added python wrapper of check_password_quality
plus black-box tests for the checks in samba-tool.

Breaks an openldap test which uses an invalid password.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9710
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12235

Signed-off-by: Jamie McClymont 
Reviewed-by: Gary Lockyer

provision: reorganize attributes so that we don't attribute with DN syntax that depends on non present object

2011-04-30T12:51:16+00:00

Autobuild-User: Matthieu Patou 
Autobuild-Date: Sat Apr 30 14:51:16 CEST 2011 on sn-devel-104

s4:provision - adapt the "provision" so that SIDs are only set on entry creation

2010-11-01T11:25:24+00:00

SID modifications are denied.

s4:setup/provision_basedn_modify.ldif - set "minPwdAge" to the right value

2010-07-03T09:38:54+00:00

Now we should have fixed all password related tests to cooperate with this value

s4:provision: don't use hardcoded values for 'nextRid' and 'rIDAvailablePool'

2010-06-26T07:50:54+00:00

On Windows dcpromo imports nextRid from the local SAM,
which means it's not hardcoded to 1000.

The initlal rIDAvailablePool starts at nextRid + 100.

I also found that the RID Set of the local dc
should be created via provision and not at runtime,
when the first rid is needed.
(Tested with dcpromo on w2k8r2, while disabling the DNS
 check box).

After provision we should have this (assuming nextRid=1000):

rIDAllocationPool: 1100-1599
rIDPrevAllocationPool: 1100-1599
rIDUsedPool: 0
rIDNextRID: 1100

rIDAvailablePool: 1600-1073741823

Because provision sets rIDNextRid=1100, the first created account
(typically DNS related accounts) will get 1101 as rid!

metze

s4:provision_basedn_modify.ldif - fix up "maxPwdAge"

2010-05-13T11:03:31+00:00

s3:provision_basedn_modify.ldif - add "msDS-NcType" attribute and fix comments

2010-05-10T07:21:17+00:00

s4:provision Split up reference creation, load schema earlier in the stack

2009-11-16T23:38:04+00:00

The schema needs to be loaded above the extended_dn_out modules as
otherwise we don't get an extended DN in the search results.

The reference split is to ensure we create references after the
objects they reference exist.

Andrew Bartlett

s4: Improve provisioning: use relax control

2009-10-02T10:45:01+00:00

Give the possibility to specify controls when loading ldif files.
  Relax control is specified by default for all ldb_add_diff (request Andrew B).
  Set domainguid if specified at the creation of object instead of modifying afterward
  Allow to specify objectGUID for NTDS object of the first DC this option is used during provision upgrade.

s4:provision_basedn_modify - fix the "auditPolicy" attribute

2009-09-19T22:14:51+00:00

I had to think about how to encode the string 0x0001 (taken from Windows Server).
The problem is due to the "0" byte at the beginning of it. BASE64 encoding
seems a good method to do it.