samba.git/source4/setup, branch talloc-2.3.1 Unnamed repository; edit this file 'description' to name the repository. samba-tool: create working private krb5.conf 2019-10-08T12:50:38+00:00 Alexander Bokovoy ab@samba.org 2019-10-07T15:24:28+00:00 5a084994144704a6c146b94f8a22cf57ce08deab DNS update tool uses private krb5.conf which should have enough details to authenticate with GSS-TSIG when running nsupdate. Unfortunately, the configuration we provide is not enough. We set defaults to not lookup REALM via DNS but at the same time we don't provide any realm definition. As result, MIT Kerberos cannot actually find a working realm for Samba AD deployment because it cannot query DNS for a realm discovery or pick it up from the configuration. Extend private krb5.conf with a realm definition that will allow MIT Kerberos to look up KDC over DNS. Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
DNS update tool uses private krb5.conf which should have enough details
to authenticate with GSS-TSIG when running nsupdate.

Unfortunately, the configuration we provide is not enough. We set
defaults to not lookup REALM via DNS but at the same time we don't
provide any realm definition. As result, MIT Kerberos cannot actually
find a working realm for Samba AD deployment because it cannot query DNS
for a realm discovery or pick it up from the configuration.

Extend private krb5.conf with a realm definition that will allow MIT
Kerberos to look up KDC over DNS.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
samba-tool domain provision: Remove experimental OpenLDAP support 2019-08-30T08:32:30+00:00 Andrew Bartlett abartlet@samba.org 2019-03-11T21:52:24+00:00 a4f0a6519cde558fdedb08fbb4742dbf57ee4283 This feature has long been obsolete, remaining only in the hope that it might be revived in the future. Specifically, in 2011 the S4 OpenLDAP backend HOWTO was removed: commit 1d46325af8541ea467c79cd86e65f93ce6a14ff4 Author: Andrew Bartlett <abartlet@samba.org> Date: Wed Apr 27 22:42:29 2011 +1000 Remove outdated S4 OpenLDAP backend HOWTO. There is a project to revive this, hosted here: https://github.com/Symas/samba and https://github.com/Symas/samba_overlays However discussions at SambaXP with Nadezhda Ivanova indicate a new approach with slapd being started by Samba and taught to read native Samba ldb files is more likely in the short term. This has the advantage that Samba's provision and offline tooling would not need to change, with the solution looking more like how BIND9_DLZ has access to the Samba DB. If any of this is required then reverting these patches will be the least of the difficulties in bringing this to production. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com> 
This feature has long been obsolete, remaining only in the hope
that it might be revived in the future.

Specifically, in 2011 the S4 OpenLDAP backend HOWTO was removed:

 commit 1d46325af8541ea467c79cd86e65f93ce6a14ff4
 Author: Andrew Bartlett <abartlet@samba.org>
 Date:   Wed Apr 27 22:42:29 2011 +1000

     Remove outdated S4 OpenLDAP backend HOWTO.

There is a project to revive this, hosted here:

https://github.com/Symas/samba
and
https://github.com/Symas/samba_overlays

However discussions at SambaXP with Nadezhda Ivanova
indicate a new approach with slapd being started by Samba
and taught to read native Samba ldb files is more likely
in the short term.

This has the advantage that Samba's provision and offline
tooling would not need to change, with the solution looking
more like how BIND9_DLZ has access to the Samba DB.

If any of this is required then reverting these patches will be
the least of the difficulties in bringing this to production.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
sefltest: Remove tests for obsolete OpenLDAP backend 2019-08-30T08:32:30+00:00 Andrew Bartlett abartlet@samba.org 2019-03-11T22:49:01+00:00 4a2d3d8fd6318858260c3bc47443a6337da829ce Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Nadezhda Ivanova <nivanova@symas.com> 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
selftest: schema version check in provision test 2019-06-26T05:31:03+00:00 Aaron Haslett aaronhaslett@catalyst.net.nz 2019-04-11T05:44:48+00:00 e28365c515733bab10e93ba40c6123a57bef737f Modifying blackbox provision test to check schema version. Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Jun 26 05:31:03 UTC 2019 on sn-devel-184 
Modifying blackbox provision test to check schema version.

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jun 26 05:31:03 UTC 2019 on sn-devel-184
selftest: specifying 2008_R2 base schema for tests that need it 2019-06-26T04:12:33+00:00 Aaron Haslett aaronhaslett@catalyst.net.nz 2019-01-15T03:30:51+00:00 fc9845da69cabcc1bf046d7899b2c4aeae743170 We're going to change the default base schema so this patch changes all tests and testenvs requiring the current default (2008_R2) to specify it in all provision commands using --base-schema. Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
We're going to change the default base schema so this patch changes all
tests and testenvs requiring the current default (2008_R2) to specify it
in all provision commands using --base-schema.

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
provision: Suggest "minimal-responses yes;" by default 2019-06-21T00:52:19+00:00 Andrew Bartlett abartlet@samba.org 2019-06-19T17:11:41+00:00 e121c14405f9257ef640d2651326f082707cb66f This improves Samba AD DC performance as a DNS server dramatically, because NS records do not need to be looked up and there is less risk the response will have to fall back to TCP, doubling the cost again. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri Jun 21 00:52:19 UTC 2019 on sn-devel-184 
This improves Samba AD DC performance as a DNS server dramatically, because NS records do not
need to be looked up and there is less risk the response will have to fall back
to TCP, doubling the cost again.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Jun 21 00:52:19 UTC 2019 on sn-devel-184
repl: test for schema object and LA repl across chunks 2019-04-11T04:17:11+00:00 Aaron Haslett aaronhaslett@catalyst.net.nz 2019-02-19T01:33:33+00:00 5d8895f347ca0005240ec166fec4eb875f9cd356 During replication, transmission of objects and linked attributes are split into chunks. These two tests check behavioural consistency across chunks for regular schema objects and linked attributes. Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> 
During replication, transmission of objects and linked attributes are
split into chunks.  These two tests check behavioural consistency across
chunks for regular schema objects and linked attributes.

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
s4:provision: split out provision_self_join_modify_schema.ldif 2019-04-11T04:17:10+00:00 Stefan Metzmacher metze@samba.org 2019-03-08T10:27:14+00:00 5ea84af2d69e0b3a2a801ea0cc3f4ffc66bf1764 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13799 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13799

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
CVE-2019-3870 tests: Add test to check file-permissions are correct after provision 2019-04-08T10:27:34+00:00 Tim Beale timbeale@catalyst.net.nz 2019-03-15T00:52:50+00:00 0c8ad9c9dbeac1ad0ca3553a19d7bbf652bb650d This provisions a new DC and checks there are no world-writable files in the new DC's private directory. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 
This provisions a new DC and checks there are no world-writable
files in the new DC's private directory.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13834

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
provision: use ASCII quotes 2019-04-03T10:11:49+00:00 Philipp Gesang philipp.gesang@intra2net.com 2019-03-12T14:51:16+00:00 d01c5bc9fbe316d2358ead6382f4e7e3bf5fc000 Remove some Unicode quotes that cause problems under the C locale. Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
Remove some Unicode quotes that cause problems under the C
locale.

Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>