diff -Nur -x '*.orig' -x '*.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/cpu.conf/all mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/cpu.conf/all --- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/cpu.conf/all 2008-04-17 09:51:47.000000000 +0200 +++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/cpu.conf/all 2008-04-17 09:37:58.000000000 +0200 @@ -32,7 +32,7 @@ RANDOM = "false" PASSWORD_FILE = "/etc/passfile" SHADOW_FILE = "/etc/shadowfile" -HASH = "sha1" +HASH = "crypt" #ADD_SCRIPT = "contrib/postaddscript.sh" #DEL_SCRIPT = "foo" SHADOWLASTCHANGE = 11192 diff -Nur -x '*.orig' -x '*.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/20pam_password mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/20pam_password --- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/20pam_password 2008-04-17 09:51:47.000000000 +0200 +++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/20pam_password 2008-04-17 09:38:21.000000000 +0200 @@ -1 +1 @@ -pam_password md5 +pam_password exop diff -Nur -x '*.orig' -x '*.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/40nss_base_passwd mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/40nss_base_passwd --- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/40nss_base_passwd 2008-04-17 09:51:47.000000000 +0200 +++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/40nss_base_passwd 2008-04-17 09:39:05.000000000 +0200 @@ -2,4 +2,8 @@ $OUT .= "nss_base_passwd ou=Users,"; $OUT .= esmith::util::ldapBase ($DomainName); $OUT .= '?one'; + $OUT .= "\n"; + $OUT .= "nss_base_passwd ou=Computers,"; + $OUT .= esmith::util::ldapBase ($DomainName); + $OUT .= '?one'; } diff -Nur -x '*.orig' -x '*.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/55bind_policy mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/55bind_policy --- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/55bind_policy 2008-04-17 09:51:47.000000000 +0200 +++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/ldap.conf/55bind_policy 2008-04-17 09:39:40.000000000 +0200 @@ -1,2 +1,4 @@ +{ # Allow read /etc/{passwd,groups,shadow} files when ldap is down. +} bind_policy soft diff -Nur -x '*.orig' -x '*.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash --- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash 1970-01-01 01:00:00.000000000 +0100 +++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/85passwordHash 2008-04-17 09:41:03.000000000 +0200 @@ -0,0 +1,5 @@ + +# This is to use md5crypt +password-hash \{CRYPT\} +password-crypt-salt-format "$1$%.8s" + diff -Nur -x '*.orig' -x '*.rej' e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls --- e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls 2008-04-17 09:51:47.000000000 +0200 +++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/e-smith/templates/etc/openldap/slapd.conf/95acls 2008-04-17 09:41:52.000000000 +0200 @@ -5,6 +5,18 @@ by dn="cn=root,{ esmith::util::ldapBase ($DomainName); }" write by * none + access to attr=sambaLMPassword + by self write + by anonymous auth + by dn="cn=root,{ esmith::util::ldapBase ($DomainName); }" write + by * none + + access to attr=sambaNTPassword + by self write + by anonymous auth + by dn="cn=root,{ esmith::util::ldapBase ($DomainName); }" write + by * none + access to * by self write by dn="cn=root,{ esmith::util::ldapBase ($DomainName); }" write diff -Nur -x '*.orig' -x '*.rej' e-smith-base+ldap-4.19.1/root/etc/openldap/schema/samba.schema mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/openldap/schema/samba.schema --- e-smith-base+ldap-4.19.1/root/etc/openldap/schema/samba.schema 2008-04-17 09:51:47.000000000 +0200 +++ mezzanine_patched_e-smith-base+ldap-4.19.1/root/etc/openldap/schema/samba.schema 2007-03-01 05:55:18.000000000 +0100 @@ -14,6 +14,13 @@ ## 1.3.6.1.4.1.7165.2.3.1.x - attributetypes ## 1.3.6.1.4.1.7165.2.3.2.x - objectclasses ## +## Samba4 +## 1.3.6.1.4.1.7165.4.1.x - attributetypes +## 1.3.6.1.4.1.7165.4.2.x - objectclasses +## 1.3.6.1.4.1.7165.4.3.x - LDB/LDAP Controls +## 1.3.6.1.4.1.7165.4.4.x - LDB/LDAP Extended Operations +## 1.3.6.1.4.1.7165.4.255.x - mapped OIDs due to conflicts between AD and standards-track +## ## ----- READ THIS WHEN ADDING A NEW ATTRIBUTE OR OBJECT CLASS ------ ## ## Run the 'get_next_oid' bash script in this directory to find the @@ -38,6 +45,7 @@ # objectIdentifier Samba3 SambaRoot:2 # objectIdentifier Samba3Attrib Samba3:1 # objectIdentifier Samba3ObjectClass Samba3:2 +# objectIdentifier Samba4 SambaRoot:4 ######################################################################## ## HISTORICAL ## @@ -279,12 +287,12 @@ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' - DESC '' + DESC 'Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' - DESC 'Concatenated MD4 hashes of the unicode passwords used on this account' + DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) @@ -295,9 +303,9 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Security ID' EQUALITY caseIgnoreIA5Match + SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) - ## ## Primary group SID, compatible with ntSid ## @@ -376,19 +384,81 @@ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName' - SUP name ) +##attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName' +## SUP name ) -attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList' - DESC 'Privileges List' - EQUALITY caseIgnoreIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} ) +##attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList' +## DESC 'Privileges List' +## EQUALITY caseIgnoreIA5Match +## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} ) attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC 'Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +# "min password length" +attributetype ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' + DESC 'Minimal password length (default: 5)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "password history" +attributetype ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' + DESC 'Length of Password History Entries (default: 0 => off)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "user must logon to change password" +attributetype ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' + DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "maximum password age" +attributetype ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' + DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "minimum password age" +attributetype ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' + DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "lockout duration" +attributetype ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' + DESC 'Lockout duration in minutes (default: 30, -1 => forever)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "reset count minutes" +attributetype ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow' + DESC 'Reset time after lockout in minutes (default: 30)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "bad lockout attempt" +attributetype ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' + DESC 'Lockout users after bad logon attempts (default: 0 => off)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "disconnect time" +attributetype ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' + DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +# "refuse machine password change" +attributetype ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange' + DESC 'Allow Machine Password changes (default: 0 => off)' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + + + ####################################################################### ## objectClasses used by Samba 3.0 schema ## @@ -438,7 +508,11 @@ MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ - sambaAlgorithmicRidBase ) ) + sambaAlgorithmicRidBase $ + sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ + sambaMaxPwdAge $ sambaMinPwdAge $ + sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $ + sambaForceLogoff $ sambaRefuseMachinePwdChange )) ## ## used for idmap_ldap module @@ -457,7 +531,7 @@ DESC 'Structural Class for a SID' MUST ( sambaSID ) ) -objectclass ( 1.3.6.1.4.1.7165.1.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY +objectclass ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY DESC 'Samba Configuration Section' MAY ( description ) ) @@ -473,8 +547,8 @@ sambaStringListoption $ description ) ) -objectclass ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY - DESC 'Samba Privilege' - MUST ( sambaSID ) - MAY ( sambaPrivilegeList ) ) - +## retired during privilege rewrite +##objectclass ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY +## DESC 'Samba Privilege' +## MUST ( sambaSID ) +## MAY ( sambaPrivilegeList ) )