The branch, master has been updated
via 5c58ccb wscript: Add --with-system-heimdalkrb5
via 0940f85 WHATSNEW: Added entries for PSOs, domain backup/restore,
and rename
from 36b4b56 pass 'rdonly' or 'directory' flag to open a directory file.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 5c58ccba71022e165b2617674a1225ec9b960183
Author: Christof Schmitt <c...@samba.org>
Date: Tue Jul 10 14:51:02 2018 -0700
wscript: Add --with-system-heimdalkrb5
Add the configure option --with-system-heimdalkrb5 to build Samba
explicitly with a system Heimdal kerberos library. This does the same as
the more complicated syntax
--bundled-libraries='!heimdal,!asn1,!com_err,!roken,!hx509,!wind,!gssapi,!hcrypto,!krb5,!heimbase,!asn1_compile,!compile_et,!kdc,!hdb,!heimntlm'
and it also enforces the conflicts with MIT Kerbros and the AD DC
build.
Signed-off-by: Christof Schmitt <c...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Wed Jul 11 05:18:59 CEST 2018 on sn-devel-144
commit 0940f8560fc67caf79c1b4090bf6cbfc644ddc93
Author: Tim Beale <timbe...@catalyst.net.nz>
Date: Wed Jul 11 10:15:12 2018 +1200
WHATSNEW: Added entries for PSOs, domain backup/restore, and rename
Added WHATSNEW blurbs for the following features:
- Password Settings Objects
- Domain backup and restore
- Domain rename tool
Signed-off-by: Tim Beale <timbe...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Gary Lockyer <g...@catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 51 ++++++++++++++++++++++++++++++++++++
buildtools/wafsamba/samba_bundled.py | 2 ++
buildtools/wafsamba/wscript | 1 +
wscript | 20 ++++++++++++++
4 files changed, 74 insertions(+)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 5ddf7c4..7823612 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -112,6 +112,57 @@ samba has not been built with the --without-ldb-lmdb
option.
Please note this is an experimental feature and is not recommended for
production deployments.
+Password Settings Objects
+-------------------------
+Support has been added for Password Settings Objects (PSOs). This AD feature is
+also known as Fine-Grained Password Policies (FGPP).
+
+PSOs allow AD administrators to override the domain password policy settings
+for specific users, or groups of users. For example, PSOs can force certain
+users to have longer password lengths, or relax the complexity constraints for
+other users, and so on. PSOs can be applied to groups or to individual users.
+When multiple PSOs apply to the same user, essentially the PSO with the best
+precedence takes effect.
+
+PSOs can be configured and applied to users/groups using the 'samba-tool domain
+passwordsettings pso' set of commands.
+
+Domain backup and restore
+-------------------------
+A new samba-tool command has been added that allows administrators to create a
+backup-file of their domain DB. In the event of a catastrophic failure of the
+domain, this backup-file can be used to restore Samba services.
+
+The new 'samba-tool domain backup online' command takes a snapshot of the
+domain DB from a given DC. In the event of a catastrophic DB failure, all DCs
+in the domain should be taken offline, and the backup-file can then be used to
+recreate a fresh new DC, using the 'samba-tool domain backup restore' command.
+Once the backed-up domain DB has been restored on the new DC, other DCs can
+then subsequently be joined to the new DC, in order to repopulate the Samba
+network.
+
+Domain rename tool
+------------------
+Basic support has been added for renaming a Samba domain. The rename feature is
+designed for the following cases:
+1). Running a temporary alternate domain, in the event of a catastrophic
+failure of the regular domain. Using a completely different domain name and
+realm means that the original domain and the renamed domain can both run at the
+same time, without interfering with each other. This is an advantage over
+creating a regular 'online' backup - it means the renamed/alternate domain can
+provide core Samba network services, while trouble-shooting the fault on the
+original domain can be done in parallel.
+2). Creating a realistic lab domain or pre-production domain for testing.
+
+Note that the renamed tool is currently not intended to support a long-term
+rename of the production domain. Currently renaming the GPOs is not supported
+and would need to be done manually.
+
+The domain rename is done in two steps: first, the 'samba-tool domain backup
+rename' command will clone the domain DB, renaming it in the process, and
+producing a backup-file. Then, the 'samba-tool domain backup restore' command
+takes the backup-file and restores the renamed DB to disk on a fresh DC.
+
REMOVED FEATURES
================
diff --git a/buildtools/wafsamba/samba_bundled.py
b/buildtools/wafsamba/samba_bundled.py
index aa6199e..253d604 100644
--- a/buildtools/wafsamba/samba_bundled.py
+++ b/buildtools/wafsamba/samba_bundled.py
@@ -85,6 +85,8 @@ def minimum_library_version(conf, libname, default):
@conf
def LIB_MAY_BE_BUNDLED(conf, libname):
+ if libname in conf.env.SYSTEM_LIBS:
+ return False
if libname in conf.env.BUNDLED_LIBS:
return True
if '!%s' % libname in conf.env.BUNDLED_LIBS:
diff --git a/buildtools/wafsamba/wscript b/buildtools/wafsamba/wscript
index 1567c4b..0eef330 100644
--- a/buildtools/wafsamba/wscript
+++ b/buildtools/wafsamba/wscript
@@ -269,6 +269,7 @@ def configure(conf):
conf.env.MODULESDIR = Options.options.MODULESDIR
conf.env.PRIVATELIBDIR = Options.options.PRIVATELIBDIR
conf.env.BUNDLED_LIBS = Options.options.BUNDLED_LIBS.split(',')
+ conf.env.SYSTEM_LIBS = ()
conf.env.PRIVATE_LIBS = Options.options.PRIVATE_LIBS.split(',')
conf.env.BUILTIN_LIBRARIES = Options.options.BUILTIN_LIBRARIES.split(',')
conf.env.NONSHARED_BINARIES = Options.options.NONSHARED_BINARIES.split(',')
diff --git a/wscript b/wscript
index b1b69c1..19fc6d1 100644
--- a/wscript
+++ b/wscript
@@ -62,6 +62,14 @@ def set_options(opt):
dest='with_system_mitkdc',
default=None)
+ opt.add_option('--with-system-heimdalkrb5',
+ help=('build Samba with system Heimdal Kerberos. ' +
+ 'Requires --without-ad-dc' and
+ 'conflicts with --with-system-mitkrb5'),
+ action='store_true',
+ dest='with_system_heimdalkrb5',
+ default=False)
+
opt.add_option('--without-ad-dc',
help='disable AD DC functionality (enables only Samba FS
(File Server, Winbind, NMBD) and client utilities.',
action='store_true', dest='without_ad_dc', default=False)
@@ -206,6 +214,18 @@ def configure(conf):
if not (Options.options.without_ad_dc or
Options.options.with_system_mitkrb5):
conf.DEFINE('AD_DC_BUILD_IS_ENABLED', 1)
+ if Options.options.with_system_heimdalkrb5:
+ if Options.options.with_system_mitkrb5:
+ raise Utils.WafError('--with-system-heimdalkrb5 conflicts with ' +
+ '--with-system-mitkrb5')
+ if not Options.options.without_ad_dc:
+ raise Utils.WafError('--with-system-heimdalkrb5 requires ' +
+ '--without-ad-dc')
+ conf.env.SYSTEM_LIBS += ('heimdal', 'asn1', 'com_err', 'roken',
+ 'hx509', 'wind', 'gssapi', 'hcrypto',
+ 'krb5', 'heimbase', 'asn1_compile',
+ 'compile_et', 'kdc', 'hdb', 'heimntlm')
+
# Only process heimdal_build for non-MIT KRB5 builds
# When MIT KRB5 checks are done as above, conf.env.KRB5_VENDOR will be set
# to the lowcased output of 'krb5-config --vendor'.
--
Samba Shared Repository
