The branch, master has been updated via 73422e7... Revert "s4:provision_users.ldif - Import all essential groups for Windows Server 2008 mode" via 3af84c1... Revert "s4:provision_users.ldif - Remove foreign security principal S-1-5-17 for now" via 306de30... Revert "s4:provision_users.ldif - Fix memberships regarding the denied password RODC replication group" via aa45015... Revert "s4:provision_users.ldif - Add objects for IIS" via d0123e0... s4-selftest: when a command fails show both normal and expanded command via 1eebdfd... s4-test: fixed make test without having done make install from 2cedefa... s4:upgradeprovision - fix up the script regarding linked attributes
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 73422e7dd866f9c65e1ba5cd42fd027b5acf3a40 Author: Andrew Tridgell <tri...@samba.org> Date: Mon Jan 11 10:08:30 2010 +1100 Revert "s4:provision_users.ldif - Import all essential groups for Windows Server 2008 mode" This reverts commit 5c174c68ccba7506147feab1d09ad676792139b3. This series of commits broke 'make test'. Matthias, please make sure you run a _full_ make test before every push. commit 3af84c1cde9f210f9ee6608b2509a58646226127 Author: Andrew Tridgell <tri...@samba.org> Date: Mon Jan 11 10:07:53 2010 +1100 Revert "s4:provision_users.ldif - Remove foreign security principal S-1-5-17 for now" This reverts commit 61dfd3dc1dce2c0dd6693de80930af312ad3e39f. This series of commits broke 'make test'. Matthias, please make sure you run a _full_ make test before every push. commit 306de3051d8780c3ff2f97e0c61c28e5519aa661 Author: Andrew Tridgell <tri...@samba.org> Date: Mon Jan 11 10:06:58 2010 +1100 Revert "s4:provision_users.ldif - Fix memberships regarding the denied password RODC replication group" This reverts commit 9ee895fcf6327b1c2f5ee09fa565bd62974e9c58. This series of commits broke 'make test'. Matthias, please make sure you run a _full_ make test before every push. commit aa4501538a6df60719b0ab988cbd94f4495dacf1 Author: Andrew Tridgell <tri...@samba.org> Date: Mon Jan 11 10:05:50 2010 +1100 Revert "s4:provision_users.ldif - Add objects for IIS" This reverts commit 91e210028790397996659116446e6add452707f6. This series of commits broke 'make test'. Matthias, please make sure you run a _full_ make test before every push. commit d0123e0a9a4a9dc2e28d6f66afce73b9ab0b0936 Author: Andrew Tridgell <tri...@samba.org> Date: Mon Jan 11 09:36:48 2010 +1100 s4-selftest: when a command fails show both normal and expanded command It is sometimes hard to tell which varient of something like $SMB_CONF_PATH or $USERNAME is being used in a test. By giving both the expanded command ($command with environment variables expanded) and non-expanded command it is easier to reproduce bugs outside the test environment. commit 1eebdfdbe7200fdc7788834a28818f8e0155904a Author: Andrew Tridgell <tri...@samba.org> Date: Mon Jan 11 09:29:29 2010 +1100 s4-test: fixed make test without having done make install client.conf didn't specify "setup directory" ----------------------------------------------------------------------- Summary of changes: selftest/selftest.pl | 13 +++ source4/setup/provision_users.ldif | 210 ++++++++++++++---------------------- 2 files changed, 92 insertions(+), 131 deletions(-) Changeset truncated at 500 lines: diff --git a/selftest/selftest.pl b/selftest/selftest.pl index 3536d41..883d2a0 100755 --- a/selftest/selftest.pl +++ b/selftest/selftest.pl @@ -212,6 +212,17 @@ sub cleanup_pcap($$) unlink($pcap_file); } +# expand strings from %ENV +sub expand_environment_strings($) +{ + my $s = shift; + # we use a reverse sort so we do the longer ones first + foreach my $k (sort { $b cmp $a } keys %ENV) { + $s =~ s/\$$k/$ENV{$k}/g; + } + return $s; +} + sub run_testsuite($$$$$) { my ($envname, $name, $cmd, $i, $totalsuites) = @_; @@ -255,6 +266,7 @@ sub run_testsuite($$$$$) } print "command: $cmd\n"; + printf "expanded command: %s\n", expand_environment_strings($cmd); my $exitcode = $ret >> 8; @@ -587,6 +599,7 @@ sub write_clientconf($$) #We don't want to pass our self-tests if the PAC code is wrong gensec:require_pac = true modules dir = $ENV{LD_SAMBA_MODULE_PATH} + setup directory = ./setup "; close(CF); } diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif index 2247094..c27249d 100644 --- a/source4/setup/provision_users.ldif +++ b/source4/setup/provision_users.ldif @@ -75,54 +75,43 @@ isCriticalSystemObject: TRUE # Add other groups -dn: CN=Enterprise Read-Only Domain Controllers,CN=Users,${DOMAINDN} +dn: CN=Enterprise Admins,CN=Users,${DOMAINDN} objectClass: top objectClass: group -description: Members of this group are Read-Only Domain Controllers in the enterprise -objectSid: ${DOMAINSID}-498 -sAMAccountName: Enterprise Read-Only Domain Controllers -groupType: -2147483640 +description: Designated administrators of the enterprise +member: CN=Administrator,CN=Users,${DOMAINDN} +objectSid: ${DOMAINSID}-519 +adminCount: 1 +sAMAccountName: Enterprise Admins isCriticalSystemObject: TRUE -dn: CN=Domain Admins,CN=Users,${DOMAINDN} +dn: CN=Schema Admins,CN=Users,${DOMAINDN} objectClass: top objectClass: group -description: Designated administrators of the domain +description: Designated administrators of the schema member: CN=Administrator,CN=Users,${DOMAINDN} -objectSid: ${DOMAINSID}-512 +objectSid: ${DOMAINSID}-518 adminCount: 1 -sAMAccountName: Domain Admins +sAMAccountName: Schema Admins isCriticalSystemObject: TRUE dn: CN=Cert Publishers,CN=Users,${DOMAINDN} objectClass: top objectClass: group description: Members of this group are permitted to publish certificates to the Active Directory +groupType: -2147483644 objectSid: ${DOMAINSID}-517 sAMAccountName: Cert Publishers -groupType: -2147483644 isCriticalSystemObject: TRUE -dn: CN=Schema Admins,CN=Users,${DOMAINDN} -objectClass: top -objectClass: group -description: Designated administrators of the schema -member: CN=Administrator,CN=Users,${DOMAINDN} -objectSid: ${DOMAINSID}-518 -adminCount: 1 -sAMAccountName: Schema Admins -groupType: -2147483640 -isCriticalSystemObject: TRUE - -dn: CN=Enterprise Admins,CN=Users,${DOMAINDN} +dn: CN=Domain Admins,CN=Users,${DOMAINDN} objectClass: top objectClass: group -description: Designated administrators of the enterprise +description: Designated administrators of the domain member: CN=Administrator,CN=Users,${DOMAINDN} -objectSid: ${DOMAINSID}-519 +objectSid: ${DOMAINSID}-512 adminCount: 1 -sAMAccountName: Enterprise Admins -groupType: -2147483640 +sAMAccountName: Domain Admins isCriticalSystemObject: TRUE dn: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN} @@ -134,47 +123,57 @@ objectSid: ${DOMAINSID}-520 sAMAccountName: Group Policy Creator Owners isCriticalSystemObject: TRUE +dn: CN=RAS and IAS Servers,CN=Users,${DOMAINDN} +objectClass: top +objectClass: group +description: Servers in this group can access remote access properties of users +objectSid: ${DOMAINSID}-553 +sAMAccountName: RAS and IAS Servers +groupType: -2147483644 +isCriticalSystemObject: TRUE + dn: CN=Read-Only Domain Controllers,CN=Users,${DOMAINDN} objectClass: top objectClass: group -description: Members of this group are Read-Only Domain Controllers in the domain +description: Read-only domain controllers objectSid: ${DOMAINSID}-521 -adminCount: 1 sAMAccountName: Read-Only Domain Controllers +groupType: -2147483644 isCriticalSystemObject: TRUE -dn: CN=RAS and IAS Servers,CN=Users,${DOMAINDN} +dn: CN=Enterprise Read-Only Domain Controllers,CN=Users,${DOMAINDN} objectClass: top objectClass: group -description: Servers in this group can access remote access properties of users -objectSid: ${DOMAINSID}-553 -sAMAccountName: RAS and IAS Servers +description: Enterprise read-only domain controllers +objectSid: ${DOMAINSID}-498 +sAMAccountName: Enterprise Read-Only Domain Controllers groupType: -2147483644 isCriticalSystemObject: TRUE -dn: CN=Allowed RODC Password Replication Group,CN=Users,${DOMAINDN} +dn: CN=Certificate Service DCOM Access,CN=Users,${DOMAINDN} objectClass: top objectClass: group -description: Members in this group can have their passwords replicated to all read-only domain controllers in the domain. -objectSid: ${DOMAINSID}-571 -sAMAccountName: Allowed RODC Password Replication Group +description: Certificate Service DCOM Access +objectSid: ${DOMAINSID}-574 +sAMAccountName: Certificate Service DCOM Access groupType: -2147483644 isCriticalSystemObject: TRUE -dn: CN=Denied RODC Password Replication Group,CN=Users,${DOMAINDN} +dn: CN=Cryptographic Operators,CN=Users,${DOMAINDN} objectClass: top objectClass: group -description: Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain. -member: CN=Read-Only Domain Controllers,CN=Users,${DOMAINDN} -member: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN} -member: CN=Domain Admins,CN=Users,${DOMAINDN} -member: CN=Cert Publishers,CN=Users,${DOMAINDN} -member: CN=Enterprise Admins,CN=Users,${DOMAINDN} -member: CN=Schema Admins,CN=Users,${DOMAINDN} -member: CN=Domain Controllers,CN=Users,${DOMAINDN} -member: CN=krbtgt,CN=Users,${DOMAINDN} -objectSid: ${DOMAINSID}-572 -sAMAccountName: Denied RODC Password Replication Group +description: Cryptographic Operators +objectSid: ${DOMAINSID}-569 +sAMAccountName: Cryptographic Operators +groupType: -2147483644 +isCriticalSystemObject: TRUE + +dn: CN=Event Log Readers,CN=Users,${DOMAINDN} +objectClass: top +objectClass: group +description: Event Log Readers +objectSid: ${DOMAINSID}-573 +sAMAccountName: Event Log Readers groupType: -2147483644 isCriticalSystemObject: TRUE @@ -195,11 +194,6 @@ objectClass: top objectClass: foreignSecurityPrincipal objectSid: S-1-5-11 -dn: CN=S-1-5-17,CN=ForeignSecurityPrincipals,${DOMAINDN} -objectClass: top -objectClass: foreignSecurityPrincipal -objectSid: S-1-5-17 - dn: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN} objectClass: top objectClass: foreignSecurityPrincipal @@ -246,28 +240,6 @@ systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Account Operators,CN=Builtin,${DOMAINDN} -objectClass: top -objectClass: group -description: Members can administer domain user and group accounts -objectSid: S-1-5-32-548 -adminCount: 1 -sAMAccountName: Account Operators -systemFlags: -1946157056 -groupType: -2147483643 -isCriticalSystemObject: TRUE - -dn: CN=Server Operators,CN=Builtin,${DOMAINDN} -objectClass: top -objectClass: group -description: Members can administer domain servers -objectSid: S-1-5-32-549 -adminCount: 1 -sAMAccountName: Server Operators -systemFlags: -1946157056 -groupType: -2147483643 -isCriticalSystemObject: TRUE - dn: CN=Print Operators,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group @@ -301,17 +273,6 @@ systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN} -objectClass: top -objectClass: group -description: A backward compatibility group which allows read access on all users and groups in the domain -member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN} -objectSid: S-1-5-32-554 -sAMAccountName: Pre-Windows 2000 Compatible Access -systemFlags: -1946157056 -groupType: -2147483643 -isCriticalSystemObject: TRUE - dn: CN=Remote Desktop Users,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group @@ -332,16 +293,6 @@ systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN} -objectClass: top -objectClass: group -description: Members of this group can create incoming, one-way trusts to this forest -objectSid: S-1-5-32-557 -sAMAccountName: Incoming Forest Trust Builders -systemFlags: -1946157056 -groupType: -2147483643 -isCriticalSystemObject: TRUE - dn: CN=Performance Monitor Users,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group @@ -363,74 +314,76 @@ systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN} +dn: CN=Server Operators,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group -description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects -member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN} -objectSid: S-1-5-32-560 -sAMAccountName: Windows Authorization Access Group +description: Members can administer domain servers +objectSid: S-1-5-32-549 +adminCount: 1 +sAMAccountName: Server Operators systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Terminal Server License Servers,CN=Builtin,${DOMAINDN} +dn: CN=Account Operators,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group -description: Terminal Server License Servers -objectSid: S-1-5-32-561 -sAMAccountName: Terminal Server License Servers +description: Members can administer domain user and group accounts +objectSid: S-1-5-32-548 +adminCount: 1 +sAMAccountName: Account Operators systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Distributed COM Users,CN=Builtin,${DOMAINDN} +dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group -description: Members are allowed to launch, activate and use Distributed COM objects on this machine. -objectSid: S-1-5-32-562 -sAMAccountName: Distributed COM Users +description: A backward compatibility group which allows read access on all users and groups in the domain +member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN} +objectSid: S-1-5-32-554 +sAMAccountName: Pre-Windows 2000 Compatible Access systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=IIS_IUSRS,CN=Builtin,${DOMAINDN} +dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group -description: Integrated group used by the IIS -member: CN=S-1-5-17,CN=ForeignSecurityPrincipals,${DOMAINDN} -objectSid: S-1-5-32-568 -sAMAccountName: IIS_IUSRS +description: Members of this group can create incoming, one-way trusts to this forest +objectSid: S-1-5-32-557 +sAMAccountName: Incoming Forest Trust Builders systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Cryptographic Operators,CN=Builtin,${DOMAINDN} +dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group -description: Members are authorized to perform cryptographic operations. -objectSid: S-1-5-32-569 -sAMAccountName: Cryptographic Operators +description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects +member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN} +objectSid: S-1-5-32-560 +sAMAccountName: Windows Authorization Access Group systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Event Log Readers,CN=Builtin,${DOMAINDN} +dn: CN=Terminal Server License Servers,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group -description: Members of this group can read event logs from local machine. -objectSid: S-1-5-32-573 -sAMAccountName: Event Log Readers +description: Terminal Server License Servers +objectSid: S-1-5-32-561 +sAMAccountName: Terminal Server License Servers systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Certificate Service DCOM Access,CN=Builtin,${DOMAINDN} +dn: CN=Distributed COM Users,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group -description: Members of this group are allowed to connect to Certification Authorities in the enterprise. -objectSid: S-1-5-32-574 -sAMAccountName: Certificate Service DCOM Access +description: Members are allowed to launch, activate and use Distributed COM objects on this machine. +objectSid: S-1-5-32-562 +sAMAccountName: Distributed COM Users systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE @@ -492,11 +445,6 @@ objectClass: top objectClass: foreignSecurityPrincipal objectSid: S-1-5-4 -dn: CN=IUSR,CN=WellKnown Security Principals,${CONFIGDN} -objectClass: top -objectClass: foreignSecurityPrincipal -objectSid: S-1-5-17 - dn: CN=Local Service,CN=WellKnown Security Principals,${CONFIGDN} objectClass: top objectClass: foreignSecurityPrincipal -- Samba Shared Repository