The branch, master has been updated via 5c58ccb wscript: Add --with-system-heimdalkrb5 via 0940f85 WHATSNEW: Added entries for PSOs, domain backup/restore, and rename from 36b4b56 pass 'rdonly' or 'directory' flag to open a directory file.
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 5c58ccba71022e165b2617674a1225ec9b960183 Author: Christof Schmitt <c...@samba.org> Date: Tue Jul 10 14:51:02 2018 -0700 wscript: Add --with-system-heimdalkrb5 Add the configure option --with-system-heimdalkrb5 to build Samba explicitly with a system Heimdal kerberos library. This does the same as the more complicated syntax --bundled-libraries='!heimdal,!asn1,!com_err,!roken,!hx509,!wind,!gssapi,!hcrypto,!krb5,!heimbase,!asn1_compile,!compile_et,!kdc,!hdb,!heimntlm' and it also enforces the conflicts with MIT Kerbros and the AD DC build. Signed-off-by: Christof Schmitt <c...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Wed Jul 11 05:18:59 CEST 2018 on sn-devel-144 commit 0940f8560fc67caf79c1b4090bf6cbfc644ddc93 Author: Tim Beale <timbe...@catalyst.net.nz> Date: Wed Jul 11 10:15:12 2018 +1200 WHATSNEW: Added entries for PSOs, domain backup/restore, and rename Added WHATSNEW blurbs for the following features: - Password Settings Objects - Domain backup and restore - Domain rename tool Signed-off-by: Tim Beale <timbe...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> ----------------------------------------------------------------------- Summary of changes: WHATSNEW.txt | 51 ++++++++++++++++++++++++++++++++++++ buildtools/wafsamba/samba_bundled.py | 2 ++ buildtools/wafsamba/wscript | 1 + wscript | 20 ++++++++++++++ 4 files changed, 74 insertions(+) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 5ddf7c4..7823612 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -112,6 +112,57 @@ samba has not been built with the --without-ldb-lmdb option. Please note this is an experimental feature and is not recommended for production deployments. +Password Settings Objects +------------------------- +Support has been added for Password Settings Objects (PSOs). This AD feature is +also known as Fine-Grained Password Policies (FGPP). + +PSOs allow AD administrators to override the domain password policy settings +for specific users, or groups of users. For example, PSOs can force certain +users to have longer password lengths, or relax the complexity constraints for +other users, and so on. PSOs can be applied to groups or to individual users. +When multiple PSOs apply to the same user, essentially the PSO with the best +precedence takes effect. + +PSOs can be configured and applied to users/groups using the 'samba-tool domain +passwordsettings pso' set of commands. + +Domain backup and restore +------------------------- +A new samba-tool command has been added that allows administrators to create a +backup-file of their domain DB. In the event of a catastrophic failure of the +domain, this backup-file can be used to restore Samba services. + +The new 'samba-tool domain backup online' command takes a snapshot of the +domain DB from a given DC. In the event of a catastrophic DB failure, all DCs +in the domain should be taken offline, and the backup-file can then be used to +recreate a fresh new DC, using the 'samba-tool domain backup restore' command. +Once the backed-up domain DB has been restored on the new DC, other DCs can +then subsequently be joined to the new DC, in order to repopulate the Samba +network. + +Domain rename tool +------------------ +Basic support has been added for renaming a Samba domain. The rename feature is +designed for the following cases: +1). Running a temporary alternate domain, in the event of a catastrophic +failure of the regular domain. Using a completely different domain name and +realm means that the original domain and the renamed domain can both run at the +same time, without interfering with each other. This is an advantage over +creating a regular 'online' backup - it means the renamed/alternate domain can +provide core Samba network services, while trouble-shooting the fault on the +original domain can be done in parallel. +2). Creating a realistic lab domain or pre-production domain for testing. + +Note that the renamed tool is currently not intended to support a long-term +rename of the production domain. Currently renaming the GPOs is not supported +and would need to be done manually. + +The domain rename is done in two steps: first, the 'samba-tool domain backup +rename' command will clone the domain DB, renaming it in the process, and +producing a backup-file. Then, the 'samba-tool domain backup restore' command +takes the backup-file and restores the renamed DB to disk on a fresh DC. + REMOVED FEATURES ================ diff --git a/buildtools/wafsamba/samba_bundled.py b/buildtools/wafsamba/samba_bundled.py index aa6199e..253d604 100644 --- a/buildtools/wafsamba/samba_bundled.py +++ b/buildtools/wafsamba/samba_bundled.py @@ -85,6 +85,8 @@ def minimum_library_version(conf, libname, default): @conf def LIB_MAY_BE_BUNDLED(conf, libname): + if libname in conf.env.SYSTEM_LIBS: + return False if libname in conf.env.BUNDLED_LIBS: return True if '!%s' % libname in conf.env.BUNDLED_LIBS: diff --git a/buildtools/wafsamba/wscript b/buildtools/wafsamba/wscript index 1567c4b..0eef330 100644 --- a/buildtools/wafsamba/wscript +++ b/buildtools/wafsamba/wscript @@ -269,6 +269,7 @@ def configure(conf): conf.env.MODULESDIR = Options.options.MODULESDIR conf.env.PRIVATELIBDIR = Options.options.PRIVATELIBDIR conf.env.BUNDLED_LIBS = Options.options.BUNDLED_LIBS.split(',') + conf.env.SYSTEM_LIBS = () conf.env.PRIVATE_LIBS = Options.options.PRIVATE_LIBS.split(',') conf.env.BUILTIN_LIBRARIES = Options.options.BUILTIN_LIBRARIES.split(',') conf.env.NONSHARED_BINARIES = Options.options.NONSHARED_BINARIES.split(',') diff --git a/wscript b/wscript index b1b69c1..19fc6d1 100644 --- a/wscript +++ b/wscript @@ -62,6 +62,14 @@ def set_options(opt): dest='with_system_mitkdc', default=None) + opt.add_option('--with-system-heimdalkrb5', + help=('build Samba with system Heimdal Kerberos. ' + + 'Requires --without-ad-dc' and + 'conflicts with --with-system-mitkrb5'), + action='store_true', + dest='with_system_heimdalkrb5', + default=False) + opt.add_option('--without-ad-dc', help='disable AD DC functionality (enables only Samba FS (File Server, Winbind, NMBD) and client utilities.', action='store_true', dest='without_ad_dc', default=False) @@ -206,6 +214,18 @@ def configure(conf): if not (Options.options.without_ad_dc or Options.options.with_system_mitkrb5): conf.DEFINE('AD_DC_BUILD_IS_ENABLED', 1) + if Options.options.with_system_heimdalkrb5: + if Options.options.with_system_mitkrb5: + raise Utils.WafError('--with-system-heimdalkrb5 conflicts with ' + + '--with-system-mitkrb5') + if not Options.options.without_ad_dc: + raise Utils.WafError('--with-system-heimdalkrb5 requires ' + + '--without-ad-dc') + conf.env.SYSTEM_LIBS += ('heimdal', 'asn1', 'com_err', 'roken', + 'hx509', 'wind', 'gssapi', 'hcrypto', + 'krb5', 'heimbase', 'asn1_compile', + 'compile_et', 'kdc', 'hdb', 'heimntlm') + # Only process heimdal_build for non-MIT KRB5 builds # When MIT KRB5 checks are done as above, conf.env.KRB5_VENDOR will be set # to the lowcased output of 'krb5-config --vendor'. -- Samba Shared Repository