Changeset 988 for vendor/current/source4/setup

Timestamp:

Nov 24, 2016, 1:14:11 PM (9 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: update vendor to version 4.4.3

Location:

vendor/current/source4/setup

Files:

• cn=replicator.ldif (deleted)
• cn=samba-admin.ldif (deleted)
• cn=samba.ldif (modified) (1 diff)
• dns_update_list (modified) (1 diff)
• named.conf (modified) (1 diff)
• named.conf.dlz (added)
• named.txt (modified) (1 diff)
• phpldapadmin-config.php (deleted)
• provision (deleted)
• provision.ldif (modified) (5 diffs)
• provision.smb.conf.dc (deleted)
• provision.smb.conf.member (deleted)
• provision.smb.conf.standalone (deleted)
• provision_basedn_modify.ldif (modified) (1 diff)
• provision_basedn_options.ldif (added)
• provision_computers_add.ldif (modified) (1 diff)
• provision_configuration.ldif (modified) (8 diffs)
• provision_configuration_modify.ldif (added)
• provision_dns_accounts_add.ldif (added)
• provision_dns_add.ldif (deleted)
• provision_dns_add_samba.ldif (added)
• provision_dnszones_add.ldif (added)
• provision_dnszones_modify.ldif (added)
• provision_dnszones_partitions.ldif (added)
• provision_init.ldif (modified) (1 diff)
• provision_rootdse_modify.ldif (modified) (1 diff)
• provision_self_join.ldif (modified) (1 diff)
• provision_self_join_config.ldif (added)
• provision_self_join_modify.ldif (modified) (2 diffs)
• provision_self_join_modify_config.ldif (added)
• provision_users.ldif (modified) (1 diff)
• provision_users_add.ldif (modified) (1 diff)
• provision_well_known_sec_princ.ldif (added)
• schema_samba4.ldif (modified) (3 diffs)
• secrets_dns.ldif (modified) (1 diff)
• slapd.conf (modified) (8 diffs)
• spn_update_list (modified) (2 diffs)
• tests/blackbox_group.sh (modified) (4 diffs)
• tests/blackbox_newuser.sh (modified) (2 diffs)
• tests/blackbox_provision-backend.sh (modified) (1 diff)
• tests/blackbox_provision.sh (modified) (2 diffs)
• tests/blackbox_s3upgrade.sh (added)
• tests/blackbox_setpassword.sh (modified) (1 diff)
• tests/blackbox_upgradeprovision.sh (modified) (3 diffs)
• upgrade_from_s3 (deleted)
• wscript_build (modified) (2 diffs)
• ypServ30.ldif (added)

vendor/current/source4/setup/cn=samba.ldif

@@ -3 +3 @@
 objectClass: container
 cn: Samba
-structuralObjectClass: container
-entryUUID: b1d4823a-e58c-102c-9f74-51b6d59a1b68
-creatorsName:
-createTimestamp: 20080714010529Z
-entryCSN: 20080714010529.194412Z#000000#000#000000
-modifiersName:
-modifyTimestamp: 20080714010529Z
+
+dn: cn=samba-admin,cn=samba
+objectClass: top
+objectClass: person
+cn: samba-admin
+userPassword: ${LDAPADMINPASS}
+
+${MMR}dn: cn=replicator,cn=samba
+${MMR}objectClass: top
+${MMR}objectClass: person
+${MMR}cn: replicator
+${MMR}userPassword: ${MMR_PASSWORD}

vendor/current/source4/setup/dns_update_list

@@ -1 +1 @@
 # this is a list of DNS entries which will be put into DNS using
 # dynamic DNS update. It is processed by the samba_dnsupdate script
-A                                                        ${DNSDOMAIN} $IP
-A                                                        ${HOSTNAME} $IP
-CNAME ${NTDSGUID}._msdcs.${DNSDOMAIN}                    ${HOSTNAME}
-SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 88
-SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}     ${HOSTNAME} 389
-SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN}                ${HOSTNAME} 88
-SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN}                    ${HOSTNAME} 389
-SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
-SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSDOMAIN}     ${HOSTNAME} 3268
-SRV _ldap._tcp.gc._msdcs.${DNSDOMAIN}                    ${HOSTNAME} 3268
-SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}                   ${HOSTNAME} 389
-SRV _gc._tcp.${SITE}._sites.${DNSDOMAIN}                 ${HOSTNAME} 3268
-SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN}           ${HOSTNAME} 88
-SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN}               ${HOSTNAME} 389
-SRV _gc._tcp.${DNSDOMAIN}                                ${HOSTNAME} 3268
-SRV _kerberos._tcp.${DNSDOMAIN}                          ${HOSTNAME} 88
-SRV _kpasswd._tcp.${DNSDOMAIN}                           ${HOSTNAME} 464
-SRV _ldap._tcp.${DNSDOMAIN}                              ${HOSTNAME} 389
-SRV _kerberos._udp.${DNSDOMAIN}                          ${HOSTNAME} 88
-SRV _kpasswd._udp.${DNSDOMAIN}                           ${HOSTNAME} 464
+A                      ${HOSTNAME}                                           $IP
+AAAA                   ${HOSTNAME}                                           $IP
+
+# RW domain controller
+${IF_RWDC}A            ${DNSDOMAIN}                                          $IP
+${IF_RWDC}AAAA         ${DNSDOMAIN}                                          $IP
+${IF_RWDC}SRV          _ldap._tcp.${DNSDOMAIN}                               ${HOSTNAME} 389
+${IF_RWDC}SRV          _ldap._tcp.dc._msdcs.${DNSDOMAIN}                     ${HOSTNAME} 389
+${IF_RWDC}SRV          _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST}  ${HOSTNAME} 389
+${IF_RWDC}SRV          _kerberos._tcp.${DNSDOMAIN}                           ${HOSTNAME} 88
+${IF_RWDC}SRV          _kerberos._udp.${DNSDOMAIN}                           ${HOSTNAME} 88
+${IF_RWDC}SRV          _kerberos._tcp.dc._msdcs.${DNSDOMAIN}                 ${HOSTNAME} 88
+${IF_RWDC}SRV          _kpasswd._tcp.${DNSDOMAIN}                            ${HOSTNAME} 464
+${IF_RWDC}SRV          _kpasswd._udp.${DNSDOMAIN}                            ${HOSTNAME} 464
+# RW and RO domain controller
+${IF_DC}CNAME          ${NTDSGUID}._msdcs.${DNSFOREST}                       ${HOSTNAME}
+${IF_DC}SRV            _ldap._tcp.${SITE}._sites.${DNSDOMAIN}                ${HOSTNAME} 389
+${IF_DC}SRV            _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}      ${HOSTNAME} 389
+${IF_DC}SRV            _kerberos._tcp.${SITE}._sites.${DNSDOMAIN}            ${HOSTNAME} 88
+${IF_DC}SRV            _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}  ${HOSTNAME} 88
+
+# The PDC emulator
+${IF_PDC}SRV           _ldap._tcp.pdc._msdcs.${DNSDOMAIN}                    ${HOSTNAME} 389
+
+# RW GC servers
+${IF_RWGC}A            gc._msdcs.${DNSFOREST}                                $IP
+${IF_RWGC}AAAA         gc._msdcs.${DNSFOREST}                                $IP
+${IF_RWGC}SRV          _gc._tcp.${DNSFOREST}                                 ${HOSTNAME} 3268
+${IF_RWGC}SRV          _ldap._tcp.gc._msdcs.${DNSFOREST}                     ${HOSTNAME} 3268
+# RW and RO GC servers
+${IF_GC}SRV            _gc._tcp.${SITE}._sites.${DNSFOREST}                  ${HOSTNAME} 3268
+${IF_GC}SRV            _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST}      ${HOSTNAME} 3268
+
+# RW DNS servers
+${IF_RWDNS_DOMAIN}A    DomainDnsZones.${DNSDOMAIN}                           $IP
+${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN}                           $IP
+${IF_RWDNS_DOMAIN}SRV  _ldap._tcp.DomainDnsZones.${DNSDOMAIN}                ${HOSTNAME} 389
+# RW and RO DNS servers
+${IF_DNS_DOMAIN}SRV    _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389
+
+# RW DNS servers
+${IF_RWDNS_FOREST}A    ForestDnsZones.${DNSFOREST}                           $IP
+${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST}                           $IP
+${IF_RWDNS_FOREST}SRV  _ldap._tcp.ForestDnsZones.${DNSFOREST}                ${HOSTNAME} 389
+# RW and RO DNS servers
+${IF_DNS_FOREST}SRV    _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389
+

vendor/current/source4/setup/named.conf

@@ -33 +33 @@
 # Note that the reverse zone file is not created during the provision process.
 
-# The most recent BIND versions (9.7.2 or later) support secure GSS-TSIG
+# The most recent BIND versions (9.8 or later) support secure GSS-TSIG
 # updates.  If you are running an earlier version of BIND, or if you do not wish
 # to use secure GSS-TSIG updates, you may remove the update-policy sections in

vendor/current/source4/setup/named.txt

@@ -1 +1 @@
 # Additional informations for DNS setup using BIND
 
-# If you are running a capable version of BIND and you wish to support secure
-# GSS-TSIG updates, you must make the following configuration changes:
+# If you are running a capable version of BIND and you wish to support
+# secure GSS-TSIG updates, you must make the following configuration
+# changes:
 
-# - Insert the following lines into the options {} section of your named.conf
-# file:
-tkey-gssapi-credential "DNS/${DNSDOMAIN}";
-tkey-domain "${REALM}";
+#
+# Steps for BIND 9.8.x and 9.9.x -----------------------------------------
+#
 
-# - Modify BIND init scripts to pass the location of the generated keytab file.
-# Fedora 8 & later provide a variable named KEYTAB_FILE in /etc/sysconfig/named
-# for this purpose:
-KEYTAB_FILE="${DNS_KEYTAB_ABS}"
-# Note that the Fedora scripts translate KEYTAB_FILE behind the scenes into a
-# variable named KRB5_KTNAME, which is ultimately passed to the BIND daemon.  If
-# your distribution does not provide a variable like KEYTAB_FILE to pass a
-# keytab file to the BIND daemon, a workaround is to place the following line in
-# BIND's sysconfig file or in the init script for BIND:
-export KRB5_KTNAME="${DNS_KEYTAB_ABS}"
+# 1. Insert following lines into the options {} section of your named.conf 
+#    file:
+tkey-gssapi-keytab "${DNS_KEYTAB_ABS}";
 
-# - Set appropriate ownership and permissions on the ${DNS_KEYTAB} file.  Note
-# that most distributions have BIND configured to run under a non-root user
-# account.  For example, Fedora 9 runs BIND as the user "named" once the daemon
-# relinquishes its rights.  Therefore, the file ${DNS_KEYTAB} must be readable
-# by the user that BIND run as.  If BIND is running as a non-root user, the
-# "${DNS_KEYTAB}" file must have its permissions altered to allow the daemon to
-# read it.  Under Fedora 9, execute the following commands:
-chgrp named ${DNS_KEYTAB_ABS}
-chmod g+r ${DNS_KEYTAB_ABS}
+# 2. If SELinux is enabled, ensure that all files have the appropriate 
+#    SELinux file contexts.  The ${DNS_KEYTAB} file must be accessible by the 
+#    BIND daemon and should have a SELinux type of named_conf_t.  This can be 
+#    set with the following command:
+chcon -t named_conf_t ${DNS_KEYTAB_ABS}
 
-# - Ensure the BIND zone file(s) that will be dynamically updated are in a
-# directory where the BIND daemon can write.  When BIND performs dynamic
-# updates, it not only needs to update the zone file itself but it must also
-# create a journal (.jnl) file to track the dynamic updates as they occur.
-# Under Fedora 9, the /var/named directory can not be written to by the "named"
-# user.  However, the directory /var/named/dynamic directory does provide write
-# access.  Therefore the zone files were placed under the /var/named/dynamic
-# directory.  The file directives in both example zone statements at the
-# beginning of this file were changed by prepending the directory "dynamic/".
+#    Even if not using SELinux, do confirm (only) BIND can access this file as the 
+#    user it becomes (generally not root).
 
-# - If SELinux is enabled, ensure that all files have the appropriate SELinux
-# file contexts.  The ${DNS_KEYTAB} file must be accessible by the BIND daemon
-# and should have a SELinux type of named_conf_t.  This can be set with the
-# following command:
-chcon -t named_conf_t ${DNS_KEYTAB_ABS}
+#
+# Steps for BIND 9.x.x using BIND9_DLZ ------------------------------
+#
+
+# 3. Disable chroot support in BIND.  
+#    BIND is often configured to run in a chroot, but this is not
+#    compatible with access to the dns/sam.ldb files that database
+#    access and updates require.  Additionally, the DLZ plugin is
+#    linked to a large number of Samba shared libraries and loads
+#    additonal plugins.
+
+#
+# Steps for BIND 9.x.x using BIND9_FLATFILE ------------------------------
+#
+
+# 3. Ensure the BIND zone file(s) that will be dynamically updated are in 
+#    a directory where the BIND daemon can write.  When BIND performs 
+#    dynamic updates, it not only needs to update the zone file itself but 
+#    it must also create a journal (.jnl) file to track the dynamic updates 
+#    as they occur.  Under Fedora 9, the /var/named directory can not be 
+#    written to by the "named" user.  However, the directory /var/named/dynamic 
+#    directory does provide write access.  Therefore the zone files were 
+#    placed under the /var/named/dynamic directory.  The file directives in 
+#    both example zone statements at the beginning of this file were changed 
+#    by prepending the directory "dynamic/".
+

vendor/current/source4/setup/provision.ldif

@@ -25 +25 @@
 systemFlags: -1946157056
 uASCompat: 1
+nTSecurityDescriptor:: ${BUILTIN_DESCRIPTOR}
 
 dn: CN=Deleted Objects,${DOMAINDN}
@@ -46 +47 @@
 showInAdvancedViewOnly: FALSE
 gPLink: [LDAP://CN={${POLICYGUID_DC}},CN=Policies,CN=System,${DOMAINDN};0]
+nTSecurityDescriptor:: ${DOMAIN_CONTROLLERS_DESCRIPTOR}
 
 # Joined DC located in "provision_self_join.ldif"
@@ -64 +66 @@
 systemFlags: -1946157056
 isCriticalSystemObject: TRUE
+nTSecurityDescriptor:: ${INFRASTRUCTURE_DESCRIPTOR}
 
 dn: CN=LostAndFound,${DOMAINDN}
@@ -71 +74 @@
 systemFlags: -1946157056
 isCriticalSystemObject: TRUE
+nTSecurityDescriptor:: ${LOSTANDFOUND_DESCRIPTOR}
 
 dn: CN=NTDS Quotas,${DOMAINDN}
@@ -96 +100 @@
 systemFlags: -1946157056
 isCriticalSystemObject: TRUE
+nTSecurityDescriptor:: ${SYSTEM_DESCRIPTOR}
 
 dn: CN=AdminSDHolder,CN=System,${DOMAINDN}

vendor/current/source4/setup/provision_basedn_modify.ldif

@@ -83 +83 @@
 pwdHistoryLength: 24
 -
-replace: rIDManagerReference
-rIDManagerReference: CN=RID Manager$,CN=System,${DOMAINDN}
--
 replace: serverState
 serverState: 1
--
-replace: subRefs
-subRefs: ${CONFIGDN}
 -
 replace: systemFlags

vendor/current/source4/setup/provision_computers_add.ldif

@@ -2 +2 @@
 objectClass: top
 objectClass: container
+nTSecurityDescriptor:: ${COMPUTERS_DESCRIPTOR}

vendor/current/source4/setup/provision_configuration.ldif

@@ -22 +22 @@
 objectClass: container
 systemFlags: -2147483648
+nTSecurityDescriptor:: ${EXTENDEDRIGHTS_DESCRIPTOR}
 
 dn: CN=Change-Rid-Master,CN=Extended-Rights,${CONFIGDN}
@@ -707 +708 @@
 objectClass: top
 objectClass: container
+nTSecurityDescriptor:: ${FORESTUPDATES_DESCRIPTOR}
 
 dn: CN=ActiveDirectoryRodcUpdate,CN=ForestUpdates,${CONFIGDN}
@@ -1002 +1004 @@
 objectClass: lostAndFound
 systemFlags: -2147483648
+nTSecurityDescriptor:: ${LOSTANDFOUND_DESCRIPTOR}
 
 dn: CN=NTDS Quotas,${CONFIGDN}
@@ -1010 +1013 @@
 msDS-TombstoneQuotaFactor: 100
 systemFlags: -2147483648
+nTSecurityDescriptor:: ${NTDSQUOTAS_DESCRIPTOR}
 
 # Partitions
@@ -1019 +1023 @@
 msDS-Behavior-Version: ${FOREST_FUNCTIONALITY}
 showInAdvancedViewOnly: TRUE
-
-# Partitions for DNS are missing since we don't support AD DNS
+nTSecurityDescriptor:: ${PARTITIONS_DESCRIPTOR}
+
+# Partitions for DNS are missing here, they are added from provision_dnszones.ldif
 
 dn: CN=Enterprise Configuration,CN=Partitions,${CONFIGDN}
@@ -1053 +1058 @@
 objectClass: physicalLocation
 l: Physical Locations tree root
+nTSecurityDescriptor:: ${PHYSICALLOCATIONS_DESCRIPTOR}
 
 # Schema located in "ad-schema/*.txt"
@@ -1062 +1068 @@
 objectClass: container
 systemFlags: -2147483648
+nTSecurityDescriptor:: ${SERVICES_DESCRIPTOR}
 
 dn: CN=MsmqServices,CN=Services,${CONFIGDN}
@@ -1195 +1202 @@
 objectClass: sitesContainer
 systemFlags: -2113929216
-nTSecurityDescriptor:: ${SITES_DESCRIPTOR}
+ntSecurityDescriptor:: ${SITES_DESCRIPTOR}
 
 dn: CN=${DEFAULTSITE},CN=Sites,${CONFIGDN}

vendor/current/source4/setup/provision_init.ldif

@@ -18 +18 @@
 passwordAttribute: initialAuthOutgoing
 passwordAttribute: initialAuthIncoming
+passwordAttribute: pekList
+passwordAttribute: msDS-ExecuteScriptPassword
 
 dn: @OPTIONS
 checkBaseOnSearch: TRUE
+disallowDNFilter: TRUE
 
 dn: @SAMBA_DSDB

vendor/current/source4/setup/provision_rootdse_modify.ldif

@@ -4 +4 @@
 replace: isSynchronized
 isSynchronized: TRUE
+replace: dsServiceName
+dsServiceName: <GUID=${NTDSGUID}>

vendor/current/source4/setup/provision_self_join.ldif

@@ -22 +22 @@
 objectSid: ${DOMAINSID}-${DCRID}
 
-# Here are missing the objects for the NTFRS subscription since we don't
-# support this technique yet.
-
-# Objects under "Configuration/Sites/<Default sitename>/Servers"
-
-dn: ${SERVERDN}
-objectClass: top
-objectClass: server
-systemFlags: 1375731712
-dNSHostName: ${DNSNAME}
-serverReference: CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
-
-dn: CN=NTDS Settings,${SERVERDN}
-objectClass: top
-objectClass: applicationSettings
-objectClass: nTDSDSA
-dMDLocation: ${SCHEMADN}
-hasMasterNCs: ${CONFIGDN}
-hasMasterNCs: ${SCHEMADN}
-hasMasterNCs: ${DOMAINDN}
-invocationId: ${INVOCATIONID}
-msDS-Behavior-Version: ${DOMAIN_CONTROLLER_FUNCTIONALITY}
-msDS-HasDomainNCs: ${DOMAINDN}
-# "msDS-HasInstantiatedNCs"s for DNS don't exist since we don't support AD DNS
-msDS-HasInstantiatedNCs: B:8:0000000D:${CONFIGDN}
-msDS-HasInstantiatedNCs: B:8:0000000D:${SCHEMADN}
-msDS-HasInstantiatedNCs: B:8:00000005:${DOMAINDN}
-# "msDS-hasMasterNCs"s for DNS don't exist since we don't support AD DNS
-msDS-hasMasterNCs: ${CONFIGDN}
-msDS-hasMasterNCs: ${SCHEMADN}
-msDS-hasMasterNCs: ${DOMAINDN}
-options: 1
-systemFlags: 33554432
-${NTDSGUID}
+dn: CN=RID Set,CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
+objectClass: rIDSet
+rIDAllocationPool: ${RIDALLOCATIONSTART}-${RIDALLOCATIONEND}
+rIDPreviousAllocationPool: ${RIDALLOCATIONSTART}-${RIDALLOCATIONEND}
+rIDUsedPool: 0
+rIDNextRID: ${RIDALLOCATIONSTART}

vendor/current/source4/setup/provision_self_join_modify.ldif

@@ -3 +3 @@
 replace: fSMORoleOwner
 fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
-
-dn: ${SCHEMADN}
-changetype: modify
-replace: fSMORoleOwner
-fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
+replace: rIDManagerReference
+rIDManagerReference: CN=RID Manager$,CN=System,${DOMAINDN}
 
 dn: CN=Infrastructure,${DOMAINDN}
@@ -19 +16 @@
 fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
 
-dn: CN=Partitions,${CONFIGDN}
-changetype: modify
-replace: fSMORoleOwner
-fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
-
-dn: CN=NTDS Site Settings,CN=${DEFAULTSITE},CN=Sites,${CONFIGDN}
-changetype: modify
-replace: interSiteTopologyGenerator
-interSiteTopologyGenerator: CN=NTDS Settings,${SERVERDN}
-
-dn: CN=RID Set,CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
-changetype: add
-objectClass: rIDSet
-rIDAllocationPool: ${RIDALLOCATIONSTART}-${RIDALLOCATIONEND}
-rIDPreviousAllocationPool: ${RIDALLOCATIONSTART}-${RIDALLOCATIONEND}
-rIDUsedPool: 0
-rIDNextRID: ${RIDALLOCATIONSTART}
-
 dn: CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
 changetype: modify
 add: rIDSetReferences
 rIDSetReferences: CN=RID Set,CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
+
+dn: ${SERVERDN}
+changetype: modify
+add: serverReference
+serverReference: CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}

vendor/current/source4/setup/provision_users.ldif

@@ -433 +433 @@
 isCriticalSystemObject: TRUE
 
-# Add well known security principals
-
-dn: CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: container
-systemFlags: -2147483648
-
-dn: CN=Anonymous Logon,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-7
-
-dn: CN=Authenticated Users,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-11
-
-dn: CN=Batch,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-3
-
-dn: CN=Creator Group,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-3-1
-
-dn: CN=Creator Owner,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-3-0
-
-dn: CN=Dialup,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-1
-
-dn: CN=Digest Authentication,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-64-21
-
-dn: CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-9
-
-dn: CN=Everyone,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-1-0
-
-dn: CN=Interactive,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-4
-
-dn: CN=IUSR,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-17
-
-dn: CN=Local Service,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-19
-
-dn: CN=Network,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-2
-
-dn: CN=Network Service,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-20
-
-dn: CN=NTLM Authentication,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-64-10
-
-dn: CN=Other Organization,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-1000
-
-dn: CN=Owner Rights,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-3-4
-
-dn: CN=Proxy,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-8
-
-dn: CN=Remote Interactive Logon,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-14
-
-dn: CN=Restricted,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-12
-
-dn: CN=SChannel Authentication,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-64-14
-
-dn: CN=Self,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-10
-
-dn: CN=Service,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-6
-
-dn: CN=System,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-18
-
-dn: CN=Terminal Server User,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-13
-
-dn: CN=This Organization,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-15

vendor/current/source4/setup/provision_users_add.ldif

@@ -2 +2 @@
 objectClass: top
 objectClass: container
+nTSecurityDescriptor:: ${USERS_DESCRIPTOR}

vendor/current/source4/setup/schema_samba4.ldif

@@ -12 +12 @@
 ## 1.3.6.1.4.1.7165.4.4.x - LDB/LDAP Extended Operations
 ### see dsdb/samdb/samdb.h
+
+## 1.3.6.1.4.1.7165.4.5.x - ldap extended matches
 
 ## 1.3.6.1.4.1.7165.4.255.x - mapped OIDs due to conflicts between AD and standards-track
@@ -190 +192 @@
 #Allocated: (not used anymore) DSDB_CONTROL_SEARCH_APPLY_ACCESS 1.3.6.1.4.1.7165.4.3.15
 #Allocated: LDB_CONTROL_PROVISION_OID 1.3.6.1.4.1.7165.4.3.16
+#Allocated: DSDB_CONTROL_NO_GLOBAL_CATALOG 1.3.6.1.4.1.7165.4.3.17
+#Allocated: DSDB_CONTROL_PARTIAL_REPLICA 1.3.6.1.4.1.7165.4.3.18
+#Allocated: DSDB_CONTROL_DBCHECK 1.3.6.1.4.1.7165.4.3.19
+#Allocated: DSDB_CONTROL_DBCHECK_MODIFY_RO_REPLICA 1.3.6.1.4.1.7165.4.3.19.1
+#Allocated: DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID 1.3.6.1.4.1.7165.4.3.20
+#Allocated: DSDB_CONTROL_SEC_DESC_PROPAGATION_OID 1.3.6.1.4.1.7165.4.3.21
+#Allocated: DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID 1.3.6.1.4.1.7165.4.3.23
+#Allocated: DSDB_CONTROL_RESTORE_TOMBSTONE_OID 1.3.6.1.4.1.7165.4.3.24
+#Allocated: DSDB_CONTROL_CHANGEREPLMETADATA_RESORT_OID 1.3.6.1.4.1.7165.4.3.25
 
 # Extended 1.3.6.1.4.1.7165.4.4.x
@@ -197 +208 @@
 #Allocated: DSDB_EXTENDED_CREATE_PARTITION_OID 1.3.6.1.4.1.7165.4.4.4
 #Allocated: DSDB_EXTENDED_ALLOCATE_RID_POOL 1.3.6.1.4.1.7165.4.4.5
+#Allocated: DSDB_EXTENDED_SCHEMA_UPGRADE_IN_PROGRESS_OID 1.3.6.1.4.1.7165.4.4.6
+#Allocated: DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID 1.3.6.1.4.1.7165.4.4.7
+
+
+############
+# ldap extended matches
+#Allocated: SAMBA_LDAP_MATCH_ALWAYS_FALSE 1.3.6.1.4.1.7165.4.5.1
+
 
 #Allocated: (middleName) attributeID: 1.3.6.1.4.1.7165.4.255.1

vendor/current/source4/setup/secrets_dns.ldif

@@ -5 +5 @@
 objectClass: kerberosSecret
 realm: ${REALM}
-servicePrincipalName: DNS/${DNSDOMAIN}
+saltPrincipal: dns-${HOSTNAME}@${REALM}
 servicePrincipalName: DNS/${DNSNAME}
-msDS-KeyVersionNumber: 1
+msDS-KeyVersionNumber: ${KEY_VERSION_NUMBER}
 privateKeytab: ${DNS_KEYTAB}
 secret:: ${DNSPASS_B64}

vendor/current/source4/setup/slapd.conf

@@ -29 +29 @@
           uid=([^,]*),cn=([^,]*),cn=ntlm,cn=auth
           ldap:///cn=samba??one?(cn=\$1)
+
+authz-regexp
+          gidNumber=.*\\\+uidNumber=${ADMIN_UID},cn=peercred,cn=external,cn=auth
+          cn=samba-admin,cn=samba
 
 access to dn.base="" 
@@ -62 +66 @@
 moduleload syncprov
 
-database        ldif
+database        mdb
 suffix          cn=Samba
 directory       ${LDAPDIR}/db/samba
@@ -82 +86 @@
 ########################################
 ### cn=schema ###
-database        hdb
+database        mdb
 suffix          ${SCHEMADN}
 rootdn          cn=Manager,${SCHEMADN}
@@ -88 +92 @@
 ${NOSYNC}
 ${INDEX_CONFIG}
+maxsize 1073741824
 
 #syncprov is stable in OpenLDAP 2.3, and available in 2.2.  
@@ -103 +108 @@
 #########################################
 ### cn=config ###
-database        hdb
+database        mdb
 suffix          ${CONFIGDN}
 rootdn          cn=Manager,${CONFIGDN}
@@ -109 +114 @@
 ${NOSYNC}
 ${INDEX_CONFIG}
+maxsize 1073741824
 
 #syncprov is stable in OpenLDAP 2.3, and available in 2.2.  
@@ -123 +129 @@
 
 ########################################
+### domaindns
+database        mdb
+suffix          dc=domaindnszones,${DOMAINDN}
+rootdn          cn=Manager,${DOMAINDN}
+directory       ${LDAPDIR}/db/domaindns
+${NOSYNC}
+${INDEX_CONFIG}
+maxsize 1073741824
+
+#syncprov is stable in OpenLDAP 2.3, and available in 2.2.
+#We need this for the contextCSN attribute and mmr.
+overlay syncprov
+syncprov-sessionlog 100
+syncprov-checkpoint 100 10
+
+overlay rdnval
+
+### Multimaster-Replication of domainDNS context ###
+${MMR_SYNCREPL_DOMAINDNS_CONFIG}
+${MIRRORMODE}
+
+########################################
+### forestdns  ###
+database        mdb
+suffix          dc=forestdnszones,${DOMAINDN}
+rootdn          cn=Manager,${DOMAINDN}
+directory       ${LDAPDIR}/db/forestdns
+${NOSYNC}
+${INDEX_CONFIG}
+maxsize 1073741824
+
+#syncprov is stable in OpenLDAP 2.3, and available in 2.2.
+#We need this for the contextCSN attribute and mmr.
+overlay syncprov
+syncprov-sessionlog 100
+syncprov-checkpoint 100 10
+
+overlay rdnval
+
+### Multimaster-Replication of forestDNS context ###
+${MMR_SYNCREPL_FORESTDNS_CONFIG}
+${MIRRORMODE}
+
+########################################
 ### cn=users /base-dn  ###
-database        hdb
+database        mdb
 suffix          ${DOMAINDN}
 rootdn          cn=Manager,${DOMAINDN}
@@ -130 +180 @@
 ${NOSYNC}
 ${INDEX_CONFIG}
+maxsize 1073741824
 
 #syncprov is stable in OpenLDAP 2.3, and available in 2.2.  

vendor/current/source4/setup/spn_update_list

@@ -6 +6 @@
 HOST/${HOSTNAME}/${WORKGROUP}
 ldap/${HOSTNAME}/${WORKGROUP}
-GC/${HOSTNAME}/${DNSDOMAIN}
+GC/${HOSTNAME}/${DNSFOREST}
 ldap/${HOSTNAME}
 HOST/${HOSTNAME}/${DNSDOMAIN}
@@ -12 +12 @@
 HOST/${NETBIOSNAME}
 E3514235-4B06-11D1-AB04-00C04FC2DCD2/${NTDSGUID}/${DNSDOMAIN}
-ldap/${NTDSGUID}._msdcs.${DNSDOMAIN}
+ldap/${NTDSGUID}._msdcs.${DNSFOREST}
 ldap/${NETBIOSNAME}
 RestrictedKrbHost/${NETBIOSNAME}
 RestrictedKrbHost/${HOSTNAME}
+ldap/${HOSTNAME}/DomainDnsZones.${DNSDOMAIN}
+ldap/${HOSTNAME}/ForestDnsZones.${DNSDOMAIN}
 
 # These are not supported yet:
 # NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/${HOSTNAME}
 # Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/${HOSTNAME}
-# ldap/${HOSTNAME}/DomainDnsZones.${DNSDOMAIN}
-# ldap/${HOSTNAME}/ForestDnsZones.${DNSDOMAIN}
 #
-# Only used in DNS mode:
+# Only used in DNS mode: (This is added on dns-${HOSTNAME} account, should not be added here)
 # DNS/${HOSTNAME}
 #

vendor/current/source4/setup/tests/blackbox_group.sh

@@ -15 +15 @@
 
 rm -rf $PREFIX/simple-dc
-testit "simple-dc" $PYTHON $SRCDIR/source4/setup/provision --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/simple-dc
+testit "simple-dc" $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/simple-dc --use-ntvfs
 samba_tool="./bin/samba-tool"
 
@@ -21 +21 @@
 
 #creation of two test subjects
-testit "newuser" $samba_tool newuser $CONFIG --given-name="User" --surname="Tester" --initial="UT" testuser testp@ssw0Rd
-testit "newuser" $samba_tool newuser $CONFIG --given-name="User1" --surname="Tester" --initial="UT" testuser1 testp@ssw0Rd
+testit "user add" $samba_tool user create $CONFIG --given-name="User" --surname="Tester" --initial="UT" testuser testp@ssw0Rd
+testit "user add" $samba_tool user create $CONFIG --given-name="User1" --surname="Tester" --initial="UT" testuser1 testp@ssw0Rd
 
 #test creation of six different groups
@@ -33 +33 @@
 
 #test adding test users to all groups by their username
-testit "group addmembers" $samba_tool group addmembers $CONFIG dsg newuser,newuser1
-testit "group addmembers" $samba_tool group addmembers $CONFIG gsg newuser,newuser1
-testit "group addmembers" $samba_tool group addmembers $CONFIG usg newuser,newuser1
-testit "group addmembers" $samba_tool group addmembers $CONFIG ddg newuser,newuser1
-testit "group addmembers" $samba_tool group addmembers $CONFIG gdg newuser,newuser1
-testit "group addmembers" $samba_tool group addmembers $CONFIG udg newuser,newuser1
+testit "group addmembers" $samba_tool group addmembers $CONFIG dsg testuser,testuser1
+testit "group addmembers" $samba_tool group addmembers $CONFIG gsg testuser,testuser1
+testit "group addmembers" $samba_tool group addmembers $CONFIG usg testuser,testuser1
+testit "group addmembers" $samba_tool group addmembers $CONFIG ddg testuser,testuser1
+testit "group addmembers" $samba_tool group addmembers $CONFIG gdg testuser,testuser1
+testit "group addmembers" $samba_tool group addmembers $CONFIG udg testuser,testuser1
 
 #test removing test users from all groups by their username
-testit "group removemembers" $samba_tool group removemembers $CONFIG dsg newuser,newuser1
-testit "group removemembers" $samba_tool group removemembers $CONFIG gsg newuser,newuser1
-testit "group removemembers" $samba_tool group removemembers $CONFIG usg newuser,newuser1
-testit "group removemembers" $samba_tool group removemembers $CONFIG ddg newuser,newuser1
-testit "group removemembers" $samba_tool group removemembers $CONFIG gdg newuser,newuser1
-testit "group removemembers" $samba_tool group removemembers $CONFIG udg newuser,newuser1
+testit "group removemembers" $samba_tool group removemembers $CONFIG dsg testuser,testuser1
+testit "group removemembers" $samba_tool group removemembers $CONFIG gsg testuser,testuser1
+testit "group removemembers" $samba_tool group removemembers $CONFIG usg testuser,testuser1
+testit "group removemembers" $samba_tool group removemembers $CONFIG ddg testuser,testuser1
+testit "group removemembers" $samba_tool group removemembers $CONFIG gdg testuser,testuser1
+testit "group removemembers" $samba_tool group removemembers $CONFIG udg testuser,testuser1
 
 #test adding test users to all groups by their cn
@@ -72 +72 @@
 testit "group delete" $samba_tool group delete $CONFIG udg
 
+#test listing of all groups
+testit "group list" $samba_tool group list $CONFIG
+
+#test listing of members of a particular group
+testit "group listmembers" $samba_tool group listmembers $CONFIG Users
+
 exit $failed

vendor/current/source4/setup/tests/blackbox_newuser.sh

@@ -15 +15 @@
 
 rm -rf $PREFIX/simple-dc
-testit "simple-dc" $PYTHON $SRCDIR/source4/setup/provision --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/simple-dc
+testit "simple-dc" $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/simple-dc --use-ntvfs
 samba_tool="./bin/samba-tool"
 
@@ -23 +23 @@
 #newuser  account is created with cn=Given Name Initials. Surname
 #newuser1 account is created using cn=username
-testit "newuser" $samba_tool newuser $CONFIG --given-name="User" --surname="Tester" --initials="T" --profile-path="\\\\myserver\\my\\profile" --script-path="\\\\myserver\\my\\script" --home-directory="\\\\myserver\\my\\homedir" --job-title="Tester" --department="Testing" --company="Samba.org" --description="Description" --mail-address="tester@samba.org" --internet-address="http://samba.org" --telephone-number="001122334455" --physical-delivery-office="101" --home-drive="H:" NewUser testp@ssw0Rd
-testit "newuser" $samba_tool newuser $CONFIG --use-username-as-cn --given-name="User1" --surname="Tester1" --initials="UT1" --profile-path="\\\\myserver\\my\\profile" --script-path="\\\\myserver\\my\\script" --home-directory="\\\\myserver\\my\\homedir" --job-title="Tester" --department="Testing" --company="Samba.org" --description="Description" --mail-address="tester@samba.org" --internet-address="http://samba.org" --telephone-number="001122334455" --physical-delivery-office="101" --home-drive="H:" NewUser1 testp@ssw0Rd
+testit "user add" $samba_tool user create $CONFIG --given-name="User" --surname="Tester" --initials="T" --profile-path="\\\\myserver\\my\\profile" --script-path="\\\\myserver\\my\\script" --home-directory="\\\\myserver\\my\\homedir" --job-title="Tester" --department="Testing" --company="Samba.org" --description="Description" --mail-address="tester@samba.org" --internet-address="http://samba.org" --telephone-number="001122334455" --physical-delivery-office="101" --home-drive="H:" NewUser testp@ssw0Rd
+testit "user add" $samba_tool user create $CONFIG --use-username-as-cn --given-name="User1" --surname="Tester1" --initials="UT1" --profile-path="\\\\myserver\\my\\profile" --script-path="\\\\myserver\\my\\script" --home-directory="\\\\myserver\\my\\homedir" --job-title="Tester" --department="Testing" --company="Samba.org" --description="Description" --mail-address="tester@samba.org" --internet-address="http://samba.org" --telephone-number="001122334455" --physical-delivery-office="101" --home-drive="H:" NewUser1 testp@ssw0Rd
 
 # check the enable account script
-testit "enableaccount" $samba_tool enableaccount $CONFIG NewUser
-testit "enableaccount" $samba_tool enableaccount $CONFIG NewUser1
+testit "enableaccount" $samba_tool user enable $CONFIG NewUser
+testit "enableaccount" $samba_tool user enable $CONFIG NewUser1
 
 # check the enable account script
-testit "setpassword" $samba_tool setpassword $CONFIG NewUser --newpassword=testp@ssw0Rd2
-testit "setpassword" $samba_tool setpassword $CONFIG NewUser1 --newpassword=testp@ssw0Rd2
+testit "setpassword" $samba_tool user setpassword $CONFIG NewUser --newpassword=testp@ssw0Rd2
+testit "setpassword" $samba_tool user setpassword $CONFIG NewUser1 --newpassword=testp@ssw0Rd2
 
 # check the setexpiry script
-testit "noexpiry" $samba_tool setexpiry $CONFIG NewUser --noexpiry
-testit "noexpiry" $samba_tool setexpiry $CONFIG NewUser1 --noexpiry
-testit "expiry" $samba_tool setexpiry $CONFIG NewUser --days=7
-testit "expiry" $samba_tool setexpiry $CONFIG NewUser1 --days=7
+testit "noexpiry" $samba_tool user setexpiry $CONFIG NewUser --noexpiry
+testit "noexpiry" $samba_tool user setexpiry $CONFIG NewUser1 --noexpiry
+testit "expiry" $samba_tool user setexpiry $CONFIG NewUser --days=7
+testit "expiry" $samba_tool user setexpiry $CONFIG NewUser1 --days=7
 
 exit $failed

vendor/current/source4/setup/tests/blackbox_provision-backend.sh

@@ -9 +9 @@
 
 PREFIX="$1"
+export TEST_LDAP="yes"
 shift 1
-
 . `dirname $0`/../../../testprogs/blackbox/subunit.sh
 
-testit "openldap-backend" $PYTHON $SRCDIR/source4/setup/provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-backend --ldap-dryrun-mode --slapd-path=/dev/null
-testit "openldap-mmr-backend" $PYTHON $SRCDIR/source4/setup/provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-mmr-backend --ol-mmr-urls="ldap://s4dc1.test:9000,ldap://s4dc2.test:9000" --ldap-dryrun-mode --slapd-path=/dev/null --username=samba-admin --password=linux --adminpass=linux --ldapadminpass=linux
-testit "fedora-ds-backend" $PYTHON $SRCDIR/source4/setup/provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-backend --ldap-dryrun-mode --slapd-path=/dev/null
+testit "openldap-backend" $PYTHON $BINDIR/samba-tool domain provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-backend --slapd-path=/dev/null --use-ntvfs --ldap-dryrun-mode
+testit "openldap-mmr-backend" $PYTHON $BINDIR/samba-tool domain provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-mmr-backend --ol-mmr-urls="ldap://s4dc1.test:9000,ldap://s4dc2.test:9000" --adminpass=linux --ldapadminpass=linux --slapd-path=/dev/null --use-ntvfs --ldap-dryrun-mode
+testit "fedora-ds-backend" $PYTHON $BINDIR/samba-tool domain provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-backend --slapd-path=/dev/null --use-ntvfs --ldap-dryrun-mode
 
 reprovision() {
-        $PYTHON $SRCDIR/source4/setup/provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-backend-reprovision --ldap-dryrun-mode --slapd-path=/dev/null
-        $PYTHON $SRCDIR/source4/setup/provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-backend-reprovision --ldap-dryrun-mode --slapd-path=/dev/null
+        $PYTHON $BINDIR/samba-tool domain provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-backend-reprovision --use-ntvfs --ldap-dryrun-mode --slapd-path=/dev/null
+       $PYTHON $BINDIR/samba-tool domain provision --domain=FOO --realm=foo.example.com --ldap-backend-type=openldap --targetdir=$PREFIX/openldap-backend-reprovision --use-ntvfs --ldap-dryrun-mode --slapd-path=/dev/null
 }
 

vendor/current/source4/setup/tests/blackbox_provision.sh

@@ -17 +17 @@
 mkdir -p $PREFIX/simple-default/etc
 touch $PREFIX/simple-default/etc/smb.conf
-testit "simple-default" $PYTHON $SRCDIR/source4/setup/provision --domain=FOO --realm=foo.example.com --targetdir=$PREFIX/simple-default
+testit "simple-default" $PYTHON $BINDIR/samba-tool domain provision --domain=FOO --realm=foo.example.com --targetdir=$PREFIX/simple-default --use-ntvfs
 #And try with just whitespace
 rm -rf $PREFIX/simple-dc
 mkdir -p $PREFIX/simple-dc/etc
 echo "  " > $PREFIX/simple-dc/etc/smb.conf
-testit "simple-dc" $PYTHON $SRCDIR/source4/setup/provision --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/simple-dc
+testit "simple-dc" $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/simple-dc --use-ntvfs
 #The rest of these tests are with no smb.conf file present
 
 rm -rf $PREFIX/simple-dc
-testit "simple-dc-guids" $PYTHON $SRCDIR/source4/setup/provision --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --domain-guid=6054d36d-2bfd-44f1-a9cd-32cfbb06480b --ntds-guid=b838f255-c8aa-4fe8-9402-b7d61ca3bd1b --invocationid=6d4cff9a-2bbf-4b4c-98a2-36242ddb0bd6 --targetdir=$PREFIX/simple-dc
+testit "simple-dc-guids" $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --domain-guid=6054d36d-2bfd-44f1-a9cd-32cfbb06480b --ntds-guid=b838f255-c8aa-4fe8-9402-b7d61ca3bd1b --invocationid=6d4cff9a-2bbf-4b4c-98a2-36242ddb0bd6 --targetdir=$PREFIX/simple-dc --use-ntvfs
 rm -rf $PREFIX/simple-member
-testit "simple-member" $PYTHON $SRCDIR/source4/setup/provision --server-role="member" --domain=FOO --realm=foo.example.com --targetdir=$PREFIX/simple-member
+testit "simple-member" $PYTHON $BINDIR/samba-tool domain provision --server-role="member" --domain=FOO --realm=foo.example.com --targetdir=$PREFIX/simple-member --use-ntvfs
 rm -rf $PREFIX/simple-standalone
-testit "simple-standalone" $PYTHON $SRCDIR/source4/setup/provision --server-role="standalone" --domain=FOO --realm=foo.example.com --targetdir=$PREFIX/simple-standalone
+testit "simple-standalone" $PYTHON $BINDIR/samba-tool domain provision --server-role="standalone" --domain=FOO --realm=foo.example.com --targetdir=$PREFIX/simple-standalone --use-ntvfs
 rm -rf $PREFIX/blank-dc
-testit "blank-dc" $PYTHON $SRCDIR/source4/setup/provision --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/blank-dc --blank
-rm -rf $PREFIX/partitions-only-dc
-testit "partitions-only-dc" $PYTHON $SRCDIR/source4/setup/provision --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/partitions-only-dc --partitions-only
+testit "blank-dc" $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/blank-dc --blank --use-ntvfs
 
 reprovision() {
-        rm -rf $PREFIX/reprovision
-        $PYTHON $SRCDIR/source4/setup/provision --domain=FOO --realm=foo.example.com --targetdir="$PREFIX/reprovision"
-        $PYTHON $SRCDIR/source4/setup/provision --domain=FOO --realm=foo.example.com --targetdir="$PREFIX/reprovision"
+        $PYTHON $BINDIR/samba-tool domain provision --domain=FOO --realm=foo.example.com --targetdir="$PREFIX/simple-default" --use-ntvfs
 }
 
@@ -49 +45 @@
 rm -rf $PREFIX/simple-standalone
 rm -rf $PREFIX/partitions-only-dc
-rm -rf $PREFIX/reprovision
 
 exit $failed

vendor/current/source4/setup/tests/blackbox_setpassword.sh

@@ -16 +16 @@
 
 rm -rf $PREFIX/simple-dc
-testit "simple-dc" $PYTHON $SRCDIR/source4/setup/provision --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/simple-dc
+mkdir -p $PREFIX/simple-dc
 
-testit "newuser" $samba_tool newuser --configfile=$PREFIX/simple-dc/etc/smb.conf testuser testp@ssw0Rd
+testit "simple-dc" $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/simple-dc --use-ntvfs
 
-testit "setpassword" $samba_tool setpassword --configfile=$PREFIX/simple-dc/etc/smb.conf testuser --newpassword=testp@ssw0Rd
+testit "user add" $samba_tool user create --configfile=$PREFIX/simple-dc/etc/smb.conf testuser testp@ssw0Rd
 
-testit "setpassword" $samba_tool setpassword --configfile=$PREFIX/simple-dc/etc/smb.conf testuser --newpassword=testp@ssw0Rd --must-change-at-next-login
+testit "setpassword" $samba_tool user setpassword --configfile=$PREFIX/simple-dc/etc/smb.conf testuser --newpassword=testp@ssw0Rd
 
-testit "pwsettings" $samba_tool pwsettings --quiet set --configfile=$PREFIX/simple-dc/etc/smb.conf --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default --store-plaintext=on
+testit "setpassword" $samba_tool user setpassword --configfile=$PREFIX/simple-dc/etc/smb.conf testuser --newpassword=testp@ssw0Rd --must-change-at-next-login
+
+testit "passwordsettings" $samba_tool domain passwordsettings --quiet set --configfile=$PREFIX/simple-dc/etc/smb.conf --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default --store-plaintext=on
 
 exit $failed

vendor/current/source4/setup/tests/blackbox_upgradeprovision.sh

@@ -13 +13 @@
 . `dirname $0`/../../../testprogs/blackbox/subunit.sh
 
+[ ! -d $PREFIX ] && mkdir $PREFIX
+
+upgradeprovision_reference() {
+  if [ -d $PREFIX/upgradeprovision_reference ]; then
+    rm -fr $PREFIX/upgradeprovision_reference
+  fi
+        $PYTHON $BINDIR/samba-tool domain provision --host-name=bar --domain=FOO --realm=foo.example.com --targetdir="$PREFIX/upgradeprovision_reference" --server-role="dc" --use-ntvfs
+}
+
 upgradeprovision() {
   if [ -d $PREFIX/upgradeprovision ]; then
     rm -fr $PREFIX/upgradeprovision
   fi
-        $PYTHON $SRCDIR/source4/setup/provision --domain=FOO --realm=foo.example.com --targetdir="$PREFIX/upgradeprovision" --server-role="dc"
-        $PYTHON $SRCDIR/source4/scripting/bin/upgradeprovision -s "$PREFIX/upgradeprovision/etc/smb.conf" --debugchange
+        $PYTHON $BINDIR/samba-tool domain provision --host-name=bar --domain=FOO --realm=foo.example.com --targetdir="$PREFIX/upgradeprovision" --server-role="dc" --use-ntvfs
+        $PYTHON $BINDIR/samba_upgradeprovision -s "$PREFIX/upgradeprovision/etc/smb.conf" --debugchange
 }
 
@@ -25 +34 @@
     rm -fr $PREFIX/upgradeprovision_full
   fi
-        $PYTHON $SRCDIR/source4/setup/provision --domain=FOO --realm=foo.example.com --targetdir="$PREFIX/upgradeprovision_full" --server-role="dc"
-        $PYTHON $SRCDIR/source4/scripting/bin/upgradeprovision -s "$PREFIX/upgradeprovision_full/etc/smb.conf" --full --debugchange
+        $PYTHON $BINDIR/samba-tool domain provision --host-name=bar --domain=FOO --realm=foo.example.com --targetdir="$PREFIX/upgradeprovision_full" --server-role="dc" --use-ntvfs
+        $PYTHON $BINDIR/samba_upgradeprovision -s "$PREFIX/upgradeprovision_full/etc/smb.conf" --full --debugchange
+}
+
+# The ldapcmp runs here are to ensure that a 'null' run of
+# upgradeprovision (because we did a provision with the same template)
+# really doesn't change anything.
+
+ldapcmp() {
+        $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX/upgradeprovision/private/sam.ldb tdb://$PREFIX/upgradeprovision_reference/private/sam.ldb --two --skip-missing-dn
+}
+
+ldapcmp_full() {
+        $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX/upgradeprovision_full/private/sam.ldb tdb://$PREFIX/upgradeprovision_reference/private/sam.ldb --two --skip-missing-dn
+}
+
+ldapcmp_sd() {
+        $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX/upgradeprovision/private/sam.ldb tdb://$PREFIX/upgradeprovision_reference/private/sam.ldb --two --sd --skip-missing-dn
+}
+
+ldapcmp_full_sd() {
+        $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX/upgradeprovision_full/private/sam.ldb tdb://$PREFIX/upgradeprovision_reference/private/sam.ldb --two --sd --skip-missing-dn
 }
 
 testit "upgradeprovision" upgradeprovision
 testit "upgradeprovision_full" upgradeprovision_full
+testit "upgradeprovision_reference" upgradeprovision_reference
+testit "ldapcmp" ldapcmp
+testit "ldapcmp_full" ldapcmp_full
+testit "ldapcmp_sd" ldapcmp_sd
+testit "ldapcmp_full_sd" ldapcmp_full_sd
 
 if [ -d $PREFIX/upgradeprovision ]; then
@@ -40 +74 @@
 fi
 
+if [ -d $PREFIX/upgradeprovision_reference ]; then
+  rm -fr $PREFIX/upgradeprovision_reference
+fi
+
 exit $failed

vendor/current/source4/setup/wscript_build

@@ -1 +1 @@
 #!/usr/bin/env python
-
-from samba_utils import MODE_755
 
 bld.INSTALL_WILDCARD('${SETUPDIR}', 'ad-schema/*.txt')
 bld.INSTALL_WILDCARD('${SETUPDIR}', 'display-specifiers/*.txt')
-
-bld.INSTALL_FILES('${SBINDIR}', 'provision', chmod=MODE_755, python_fixup=True)
 
 bld.INSTALL_FILES('${SETUPDIR}', 'dns_update_list')
@@ -12 +8 @@
 
 for p in '''schema-map-* DB_CONFIG *.inf *.ldif *.reg *.zone *.conf *.php *.txt
-            named.conf named.conf.update provision.smb.conf.dc provision.smb.conf.member
-            provision.smb.conf.standalone'''.split():
+            named.conf.update named.conf.dlz'''.split():
     bld.INSTALL_WILDCARD('${SETUPDIR}', p)