Convert some more files to GPLv3.

[jra/samba/.git] / source4 / scripting / libjs / provision.js
diff --git a/source4/scripting/libjs/provision.js b/source4/scripting/libjs/provision.js

index c14a9da55fbde114e63075a2fb021eb6c5711854..51e2785762bd79a29c2beba5b478f08066f80a05 100644 (file)
--- a/source4/scripting/libjs/provision.js
+++ b/source4/scripting/libjs/provision.js
@@ -1,7 +1,7 @@
  /*
         backend code for provisioning a Samba4 server
         Copyright Andrew Tridgell 2005
  /*
         backend code for provisioning a Samba4 server
         Copyright Andrew Tridgell 2005
-       Released under the GNU GPL v2 or later
+       Released under the GNU GPL version 3 or later
  */
  
  sys = sys_init();
  */
  
  sys = sys_init();
@@ -23,7 +23,7 @@ function install_ok(session_info, credentials)
                 return false;
         }
         var res = ldb.search("(cn=Administrator)");
                 return false;
         }
         var res = ldb.search("(cn=Administrator)");
-       if (res.length != 1) {
+       if (res.error != 0 || res.msgs.length != 1) {
                 return false;
         }
         return true;
                 return false;
         }
         return true;
@@ -57,7 +57,7 @@ objectClass: top
  objectClass: foreignSecurityPrincipal
  description: %s
  ",
  objectClass: foreignSecurityPrincipal
  description: %s
  ",
-                         sid, subobj.BASEDN, desc);
+                         sid, subobj.DOMAINDN, desc);
         /* deliberately ignore errors from this, as the records may
            already exist */
         ldb.add(add);
         /* deliberately ignore errors from this, as the records may
            already exist */
         ldb.add(add);
@@ -71,8 +71,8 @@ function setup_name_mapping(info, ldb, sid, unixname)
  {
         var attrs = new Array("dn");
         var res = ldb.search(sprintf("objectSid=%s", sid), 
  {
         var attrs = new Array("dn");
         var res = ldb.search(sprintf("objectSid=%s", sid), 
-                            info.subobj.BASEDN, ldb.SCOPE_SUBTREE, attrs);
-       if (res.length != 1) {
+                            info.subobj.DOMAINDN, ldb.SCOPE_SUBTREE, attrs);
+       if (res.error != 0 || res.msgs.length != 1) {
                 info.message("Failed to find record for objectSid %s\n", sid);
                 return false;
         }
                 info.message("Failed to find record for objectSid %s\n", sid);
                 return false;
         }
@@ -82,9 +82,9 @@ changetype: modify
  replace: unixName
  unixName: %s
  ",
  replace: unixName
  unixName: %s
  ",
-                         res[0].dn, unixname);
+                         res.msgs[0].dn, unixname);
         var ok = ldb.modify(mod);
         var ok = ldb.modify(mod);
-       if (!ok) {
+       if (ok.error != 0) {
                 info.message("name mapping for %s failed - %s\n",
                              sid, ldb.errstring());
                 return false;
                 info.message("name mapping for %s failed - %s\n",
                              sid, ldb.errstring());
                 return false;
@@ -140,9 +140,9 @@ function hostname()
  /* the ldb is in bad shape, possibly due to being built from an
     incompatible previous version of the code, so delete it
     completely */
  /* the ldb is in bad shape, possibly due to being built from an
     incompatible previous version of the code, so delete it
     completely */
-function ldb_delete(ldb)
+function ldb_delete(info, ldb)
  {
  {
-       println("Deleting " + ldb.filename);
+       info.message("Deleting " + ldb.filename + "\n");
         var lp = loadparm_init();
         sys.unlink(sprintf("%s/%s", lp.get("private dir"), ldb.filename));
         ldb.transaction_cancel();
         var lp = loadparm_init();
         sys.unlink(sprintf("%s/%s", lp.get("private dir"), ldb.filename));
         ldb.transaction_cancel();
@@ -155,14 +155,14 @@ function ldb_delete(ldb)
  /*
    erase an ldb, removing all records
  */
  /*
    erase an ldb, removing all records
  */
-function ldb_erase(ldb)
+function ldb_erase(info, ldb)
  {
         var res;
  
         /* delete the specials */
         ldb.del("@INDEXLIST");
         ldb.del("@ATTRIBUTES");
  {
         var res;
  
         /* delete the specials */
         ldb.del("@INDEXLIST");
         ldb.del("@ATTRIBUTES");
-       ldb.del("@SUBCLASSES");
+       ldb.del("@OPTIONS");
         ldb.del("@MODULES");
         ldb.del("@PARTITION");
         ldb.del("@KLUDGEACL");
         ldb.del("@MODULES");
         ldb.del("@PARTITION");
         ldb.del("@KLUDGEACL");
@@ -170,22 +170,22 @@ function ldb_erase(ldb)
         /* and the rest */
         attrs = new Array("dn");
         var basedn = "";
         /* and the rest */
         attrs = new Array("dn");
         var basedn = "";
-       var res = ldb.search("(&(|(objectclass=*)(dn=*))(!(dn=@BASEINFO)))", basedn, ldb.SCOPE_SUBTREE, attrs);
+       var res = ldb.search("(&(|(objectclass=*)(distinguishedName=*))(!(distinguishedName=@BASEINFO)))", basedn, ldb.SCOPE_SUBTREE, attrs);
         var i;
         var i;
-       if (typeof(res) == "undefined") {
-               ldb_delete(ldb);
+       if (res.error != 0) {
+               ldb_delete(info, ldb);
                 return;
         }
                 return;
         }
-       for (i=0;i<res.length;i++) {
-               ldb.del(res[i].dn);
+       for (i=0;i<res.msgs.length;i++) {
+               ldb.del(res.msgs[i].dn);
         }
  
         }
  
-       var res = ldb.search("(&(|(objectclass=*)(dn=*))(!(dn=@BASEINFO)))", basedn, ldb.SCOPE_SUBTREE, attrs);
-       if (res.length != 0) {
-               ldb_delete(ldb);
+       var res = ldb.search("(&(|(objectclass=*)(distinguishedName=*))(!(distinguishedName=@BASEINFO)))", basedn, ldb.SCOPE_SUBTREE, attrs);
+       if (res.error != 0 || res.msgs.length != 0) {
+               ldb_delete(info, ldb);
                 return;
         }
                 return;
         }
-       assert(res.length == 0);
+       assert(res.msgs.length == 0);
  }
  
  /*
  }
  
  /*
@@ -198,20 +198,23 @@ function ldb_erase_partitions(info, ldb, ldapbackend)
         var j;
  
         var res = ldb.search("(objectClass=*)", "", ldb.SCOPE_BASE, rootDSE_attrs);
         var j;
  
         var res = ldb.search("(objectClass=*)", "", ldb.SCOPE_BASE, rootDSE_attrs);
-       assert(typeof(res) != "undefined");
-       assert(res.length == 1);
-       if (typeof(res[0].namingContexts) == "undefined") {
+       if (res.error != 0) {
+               info.message("rootdse search failed: " + res.errstr + "\n");
+               assert(res.error == 0);
+       }
+       assert(res.msgs.length == 1);
+       if (typeof(res.msgs[0].namingContexts) == "undefined") {
                 return;
         }       
                 return;
         }       
-       for (j=0; j<res[0].namingContexts.length; j++) {
-               var anything = "(|(objectclass=*)(dn=*))";
-               var attrs = new Array("dn");
-               var basedn = res[0].namingContexts[j];
+       for (j=0; j<res.msgs[0].namingContexts.length; j++) {
+               var anything = "(|(objectclass=*)(distinguishedName=*))";
+               var attrs = new Array("distinguishedName");
+               var basedn = res.msgs[0].namingContexts[j];
                 var k;
                 var previous_remaining = 1;
                 var current_remaining = 0;
  
                 var k;
                 var previous_remaining = 1;
                 var current_remaining = 0;
  
-               if (ldapbackend && (basedn == info.subobj.BASEDN)) {
+               if (ldapbackend && (basedn == info.subobj.DOMAINDN)) {
                         /* Only delete objects that were created by provision */
                         anything = "(objectcategory=*)";
                 }
                         /* Only delete objects that were created by provision */
                         anything = "(objectcategory=*)";
                 }
@@ -220,23 +223,27 @@ function ldb_erase_partitions(info, ldb, ldapbackend)
                         /* and the rest */
                         var res2 = ldb.search(anything, basedn, ldb.SCOPE_SUBTREE, attrs);
                         var i;
                         /* and the rest */
                         var res2 = ldb.search(anything, basedn, ldb.SCOPE_SUBTREE, attrs);
                         var i;
-                       if (typeof(res2) == "undefined") {
-                               info.message("ldb search failed: " + ldb.errstring() + "\n");
-                               continue;
+                       if (res2.error != 0) {
+                               if (res2.error == 32) {
+                                       break;
+                               } else {
+                                       info.message("ldb search(2) failed: " + res2.errstr + "\n");
+                                       continue;
+                               }
                         }
                         previous_remaining = current_remaining;
                         }
                         previous_remaining = current_remaining;
-                       current_remaining = res2.length;
-                       for (i=0;i<res2.length;i++) {
-                               ldb.del(res2[i].dn);
+                       current_remaining = res2.msgs.length;
+                       for (i=0;i<res2.msgs.length;i++) {
+                               ldb.del(res2.msgs[i].dn);
                         }
                         
                         var res3 = ldb.search(anything, basedn, ldb.SCOPE_SUBTREE, attrs);
                         }
                         
                         var res3 = ldb.search(anything, basedn, ldb.SCOPE_SUBTREE, attrs);
-                       if (typeof(res3) == "undefined") {
-                               info.message("ldb search failed: " + ldb.errstring() + "\n");
+                       if (res3.error != 0) {
+                               info.message("ldb search(3) failed: " + res3.errstr + "\n");
                                 continue;
                         }
                                 continue;
                         }
-                       if (res3.length != 0) {
-                               info.message("Failed to delete all records under " + basedn + ", " + res3.length + " records remaining\n");
+                       if (res3.msgs.length != 0) {
+                               info.message("Failed to delete all records under " + basedn + ", " + res3.msgs.length + " records remaining\n");
                         }
                 }
         }
                         }
                 }
         }
@@ -260,7 +267,7 @@ function open_ldb(info, dbname, erase)
         ldb.transaction_start();
  
         if (erase) {
         ldb.transaction_start();
  
         if (erase) {
-               ldb_erase(ldb); 
+               ldb_erase(info, ldb);   
         }
         return ldb;
  }
         }
         return ldb;
  }
@@ -277,14 +284,14 @@ function setup_add_ldif(ldif, info, ldb, failok)
         var data = sys.file_load(src);
         data = substitute_var(data, info.subobj);
  
         var data = sys.file_load(src);
         data = substitute_var(data, info.subobj);
  
-       var add_ok = ldb.add(data);
-       if (!add_ok) {
-               info.message("ldb load failed: " + ldb.errstring() + "\n");
+       var add_res = ldb.add(data);
+       if (add_res.error != 0) {
+               info.message("ldb load failed: " + add_res.errstr + "\n");
                 if (!failok) {
                 if (!failok) {
-                       assert(add_ok);
+                       assert(add_res.error == 0);
                 }
         }
                 }
         }
-       return add_ok;
+       return (add_res.error == 0);
  }
  
  function setup_modify_ldif(ldif, info, ldb, failok)
  }
  
  function setup_modify_ldif(ldif, info, ldb, failok)
@@ -295,14 +302,14 @@ function setup_modify_ldif(ldif, info, ldb, failok)
         var data = sys.file_load(src);
         data = substitute_var(data, info.subobj);
  
         var data = sys.file_load(src);
         data = substitute_var(data, info.subobj);
  
-       var mod_ok = ldb.modify(data);
-       if (!mod_ok) {
-               info.message("ldb load failed: " + ldb.errstring() + "\n");
+       var mod_res = ldb.modify(data);
+       if (mod_res.error != 0) {
+               info.message("ldb load failed: " + mod_res.errstr + "\n");
                 if (!failok) {
                 if (!failok) {
-                       assert(mod_ok);
+                       assert(mod_res.error == 0);
                 }
         }
                 }
         }
-       return mod_ok;
+       return (mod_res.error == 0);
  }
  
  
  }
  
  
@@ -339,12 +346,12 @@ function setup_ldb_modify(ldif, info, ldb)
         var data = sys.file_load(src);
         data = substitute_var(data, info.subobj);
  
         var data = sys.file_load(src);
         data = substitute_var(data, info.subobj);
  
-       var mod_ok = ldb.modify(data);
-       if (!mod_ok) {
-               info.message("ldb load failed: " + ldb.errstring() + "\n");
-               return mod_ok;
+       var mod_res = ldb.modify(data);
+       if (mod_res.error != 0) {
+               info.message("ldb load failed: " + mod_res.errstr + "\n");
+               return (mod_res.error == 0);
         }
         }
-       return mod_ok;
+       return (mod_res.error == 0);
  }
  
  /*
  }
  
  /*
@@ -356,6 +363,11 @@ function setup_file(template, message, fname, subobj)
         var f = fname;
         var src = lp.get("setup directory") + "/" + template;
  
         var f = fname;
         var src = lp.get("setup directory") + "/" + template;
  
+       if (! sys.stat(src)) {
+               message("Template file not found: %s\n",src);
+               assert(0);
+       }
+
         sys.unlink(f);
  
         var data = sys.file_load(src);
         sys.unlink(f);
  
         var data = sys.file_load(src);
@@ -370,21 +382,39 @@ function setup_file(template, message, fname, subobj)
  
  function provision_default_paths(subobj)
  {
  
  function provision_default_paths(subobj)
  {
+       /* subobj.DNSDOMAIN isn't available at this point */
+       var dnsdomain = strlower(subobj.REALM);
         var lp = loadparm_init();
         var paths = new Object();
         var lp = loadparm_init();
         var paths = new Object();
-       paths.smbconf = lp.get("config file");
+       paths.smbconf = lp.filename()
         paths.shareconf = lp.get("private dir") + "/" + "share.ldb";
         paths.shareconf = lp.get("private dir") + "/" + "share.ldb";
-       paths.hklm = "hklm.ldb";
-       paths.hkcu = "hkcu.ldb";
-       paths.hkcr = "hkcr.ldb";
-       paths.hku = "hku.ldb";
-       paths.hkpd = "hkpd.ldb";
-       paths.hkpt = "hkpt.ldb";
         paths.samdb = lp.get("sam database");
         paths.samdb = lp.get("sam database");
-       paths.secrets = "secrets.ldb";
-       paths.dns = lp.get("private dir") + "/" + subobj.DNSDOMAIN + ".zone";
+       paths.idmapdb = lp.get("idmap database");
+       paths.secrets = lp.get("secrets database");
+       paths.templates = lp.get("private dir") + "/" + "templates.ldb";
+       paths.keytab = "secrets.keytab";
+       paths.dns_keytab = "dns.keytab";
+       paths.dns_keytab_abs = lp.get("private dir") + "/" + paths.dns_keytab;
+       paths.dns = lp.get("private dir") + "/" + dnsdomain + ".zone";
+       paths.named_conf = lp.get("private dir") + "/named.conf";
         paths.winsdb = "wins.ldb";
         paths.winsdb = "wins.ldb";
-       paths.ldap_basedn_ldif = lp.get("private dir") + "/" + subobj.DNSDOMAIN + ".ldif";
+       paths.ldapdir = lp.get("private dir") + "/ldap";
+
+       paths.s4_ldapi_socket = lp.get("private dir") + "/ldapi";
+       paths.phpldapadminconfig = lp.get("private dir") + "/phpldapadmin-config.php";
+
+       paths.sysvol = lp.get("sysvol", "path");
+
+       if (paths.sysvol == undefined) {
+               paths.sysvol = lp.get("lock dir") + "/sysvol";
+       }
+       
+       paths.netlogon = lp.get("netlogon", "path");
+       
+       if (paths.netlogon == undefined) {
+               paths.netlogon = paths.sysvol + "/" + dnsdomain + "/scripts";
+       }
+
         return paths;
  }
  
         return paths;
  }
  
@@ -398,9 +428,10 @@ function setup_name_mappings(info, ldb)
         var attrs = new Array("objectSid");
         var subobj = info.subobj;
  
         var attrs = new Array("objectSid");
         var subobj = info.subobj;
  
-       res = ldb.search("objectSid=*", subobj.BASEDN, ldb.SCOPE_BASE, attrs);
-       assert(res.length == 1 && res[0].objectSid != undefined);
-       var sid = res[0].objectSid;
+       res = ldb.search("objectSid=*", subobj.DOMAINDN, ldb.SCOPE_BASE, attrs);
+       assert(res.error == 0);
+       assert(res.msgs.length == 1 && res.msgs[0].objectSid != undefined);
+       var sid = res.msgs[0].objectSid;
  
         /* add some foreign sids if they are not present already */
         add_foreign(ldb, subobj, "S-1-5-7",  "Anonymous");
  
         /* add some foreign sids if they are not present already */
         add_foreign(ldb, subobj, "S-1-5-7",  "Anonymous");
@@ -431,6 +462,150 @@ function setup_name_mappings(info, ldb)
         return true;
  }
  
         return true;
  }
  
+function provision_fix_subobj(subobj, paths)
+{
+       var ldb = ldb_init();
+       
+       subobj.REALM       = strupper(subobj.REALM);
+       subobj.HOSTNAME    = strlower(subobj.HOSTNAME);
+       subobj.DOMAIN      = strupper(subobj.DOMAIN);
+       subobj.NETBIOSNAME = strupper(subobj.HOSTNAME);
+       subobj.DNSDOMAIN    = strlower(subobj.REALM);
+       subobj.DNSNAME      = sprintf("%s.%s", 
+                                     strlower(subobj.HOSTNAME), 
+                                     subobj.DNSDOMAIN);
+       var rdn_list = split(".", subobj.DNSDOMAIN);
+       subobj.DOMAINDN     = "DC=" + join(",DC=", rdn_list);
+       subobj.ROOTDN       = subobj.DOMAINDN;
+       subobj.CONFIGDN     = "CN=Configuration," + subobj.ROOTDN;
+       subobj.SCHEMADN     = "CN=Schema," + subobj.CONFIGDN;
+
+       subobj.MACHINEPASS_B64 = ldb.encode(subobj.MACHINEPASS);
+       subobj.KRBTGTPASS_B64  = ldb.encode(subobj.KRBTGTPASS);
+       subobj.ADMINPASS_B64   = ldb.encode(subobj.ADMINPASS);
+       subobj.DNSPASS_B64     = ldb.encode(subobj.DNSPASS);
+
+       subobj.SAM_LDB          = "tdb://" + paths.samdb;
+       subobj.SECRETS_KEYTAB   = paths.keytab;
+       subobj.DNS_KEYTAB       = paths.dns_keytab;
+       subobj.DNS_KEYTAB_ABS   = paths.dns_keytab_abs;
+
+       subobj.LDAPDIR = paths.ldapdir;
+       var ldap_path_list = split("/", paths.ldapdir);
+       subobj.LDAPI_URI = "ldapi://" + join("%2F", ldap_path_list) + "%2Fldapi";
+
+       var s4ldap_path_list = split("/", paths.s4_ldapi_socket);
+       subobj.S4_LDAPI_URI = "ldapi://" + join("%2F", s4ldap_path_list);
+
+       subobj.LDAPMANAGERDN = "cn=Manager," + subobj.DOMAINDN;
+
+       subobj.NETLOGONPATH = paths.netlogon;
+       subobj.SYSVOLPATH = paths.sysvol;
+
+       if (subobj.DOMAIN_CONF == undefined) {
+               subobj.DOMAIN_CONF = subobj.DOMAIN;
+       }
+       if (subobj.REALM_CONF == undefined) {
+               subobj.REALM_CONF = subobj.REALM;
+       }
+       if (strlower(subobj.SERVERROLE) != strlower("domain controller")) {
+               subobj.REALM = subobj.HOSTNAME;
+               subobj.DOMAIN = subobj.HOSTNAME;
+       }
+
+       return true;
+}
+
+function provision_become_dc(subobj, message, erase, paths, session_info)
+{
+       var lp = loadparm_init();
+       var sys = sys_init();
+       var info = new Object();
+
+       var ok = provision_fix_subobj(subobj, paths);
+       assert(ok);
+
+       if (subobj.BACKEND_MOD == undefined) {
+               subobj.BACKEND_MOD = "repl_meta_data";
+       }
+
+       info.subobj = subobj;
+       info.message = message;
+       info.session_info = session_info;
+
+       message("Setting up templates into " + paths.templates + "\n");
+       setup_ldb("provision_templates.ldif", info, paths.templates);
+
+       /* Also wipes the database */
+       message("Setting up " + paths.samdb + " partitions\n");
+       setup_ldb("provision_partitions.ldif", info, paths.samdb);
+
+       var samdb = open_ldb(info, paths.samdb, false);
+
+       message("Setting up " + paths.samdb + " attributes\n");
+       setup_add_ldif("provision_init.ldif", info, samdb, false);
+
+       message("Setting up " + paths.samdb + " rootDSE\n");
+       setup_add_ldif("provision_rootdse_add.ldif", info, samdb, false);
+
+       if (erase) {
+               message("Erasing data from partitions\n");
+               ldb_erase_partitions(info, samdb, undefined);
+       }
+
+       message("Setting up " + paths.samdb + " indexes\n");
+       setup_add_ldif("provision_index.ldif", info, samdb, false);
+
+       ok = samdb.transaction_commit();
+       assert(ok);
+
+       message("Setting up " + paths.secrets + "\n");
+       setup_ldb("secrets_init.ldif", info, paths.secrets);
+
+       setup_ldb("secrets.ldif", info, paths.secrets, false);
+
+       setup_ldb("secrets_dc.ldif", info, paths.secrets, false);
+
+       return true;
+}
+
+function load_schema(subobj, message, samdb)
+{
+       var lp = loadparm_init();
+       var src = lp.get("setup directory") + "/" + "schema.ldif";
+
+       if (! sys.stat(src)) {
+               message("Template file not found: %s\n",src);
+               assert(0);
+       }
+
+       var schema_data = sys.file_load(src);
+
+       src = lp.get("setup directory") + "/" + "schema_samba4.ldif";
+
+       if (! sys.stat(src)) {
+               message("Template file not found: %s\n",src);
+               assert(0);
+       }
+
+       schema_data = schema_data + sys.file_load(src);
+
+       schema_data = substitute_var(schema_data, subobj);
+
+       src = lp.get("setup directory") + "/" + "provision_schema_basedn_modify.ldif";
+
+       if (! sys.stat(src)) {
+               message("Template file not found: %s\n",src);
+               assert(0);
+       }
+
+       var head_data = sys.file_load(src);
+       head_data = substitute_var(head_data, subobj);
+
+       var ok = samdb.attach_dsdb_schema_from_ldif(head_data, schema_data);
+       return ok;
+}
+
  
  /*
    provision samba4 - caution, this wipes all existing data!
  
  /*
    provision samba4 - caution, this wipes all existing data!
@@ -440,19 +615,21 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda
         var lp = loadparm_init();
         var sys = sys_init();
         var info = new Object();
         var lp = loadparm_init();
         var sys = sys_init();
         var info = new Object();
+       random_init(local);
+
+       var ok = provision_fix_subobj(subobj, paths);
+       assert(ok);
+
+       if (strlower(subobj.SERVERROLE) == strlower("domain controller")) {
+               if (subobj.BACKEND_MOD == undefined) {
+                       subobj.BACKEND_MOD = "repl_meta_data";
+               }
+       } else {
+               if (subobj.BACKEND_MOD == undefined) {
+                       subobj.BACKEND_MOD = "objectguid";
+               }
+       }
  
  
-       /*
-         some options need to be upper/lower case
-       */
-       subobj.REALM       = strupper(subobj.REALM);
-       subobj.HOSTNAME    = strlower(subobj.HOSTNAME);
-       subobj.DOMAIN      = strupper(subobj.DOMAIN);
-       assert(valid_netbios_name(subobj.DOMAIN));
-       subobj.NETBIOSNAME = strupper(subobj.HOSTNAME);
-       assert(valid_netbios_name(subobj.NETBIOSNAME));
-       var rdns = split(",", subobj.BASEDN);
-       subobj.RDN_DC = substr(rdns[0], strlen("DC="));
-       
         if (subobj.DOMAINGUID != undefined) {
                 subobj.DOMAINGUID_MOD = sprintf("replace: objectGUID\nobjectGUID: %s\n-", subobj.DOMAINGUID);
         } else {
         if (subobj.DOMAINGUID != undefined) {
                 subobj.DOMAINGUID_MOD = sprintf("replace: objectGUID\nobjectGUID: %s\n-", subobj.DOMAINGUID);
         } else {
@@ -473,8 +650,16 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda
         /* only install a new smb.conf if there isn't one there already */
         var st = sys.stat(paths.smbconf);
         if (st == undefined) {
         /* only install a new smb.conf if there isn't one there already */
         var st = sys.stat(paths.smbconf);
         if (st == undefined) {
-               message("Setting up smb.conf\n");
-               setup_file("provision.smb.conf", info.message, paths.smbconf, subobj);
+               var smbconfsuffix;
+               if (strlower(subobj.SERVERROLE) == strlower("domain controller")) {
+                       smbconfsuffix = "dc";
+               } else if (strlower(subobj.SERVERROLE) == strlower("member server")) {
+                       smbconfsuffix = "member";
+               } else {
+                       smbconfsuffix = subobj.SERVERROLE;
+               }
+               message("Setting up " + paths.smbconf +"\n");
+               setup_file("provision.smb.conf." + smbconfsuffix, info.message, paths.smbconf, subobj);
                 lp.reload();
         }
         /* only install a new shares config db if there is none */
                 lp.reload();
         }
         /* only install a new shares config db if there is none */
@@ -483,13 +668,20 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda
                 message("Setting up share.ldb\n");
                 setup_ldb("share.ldif", info, paths.shareconf);
         }
                 message("Setting up share.ldb\n");
                 setup_ldb("share.ldif", info, paths.shareconf);
         }
-       message("Setting up secrets.ldb\n");
-       setup_ldb("secrets.ldif", info, paths.secrets);
-       message("Setting up keytabs\n");
-       var keytab_ok = credentials_update_all_keytabs();
-       assert(keytab_ok);
-       message("Setting up hklm.ldb\n");
-       setup_ldb("hklm.ldif", info, paths.hklm);
+
+       message("Setting up " + paths.secrets + "\n");
+       setup_ldb("secrets_init.ldif", info, paths.secrets);
+       setup_ldb("secrets.ldif", info, paths.secrets, false);
+
+       message("Setting up the registry\n");
+       var reg = reg_open();
+       reg.apply_patchfile(lp.get("setup directory") + "/provision.reg")
+
+       message("Setting up templates into " + paths.templates + "\n");
+       setup_ldb("provision_templates.ldif", info, paths.templates);
+
+       message("Setting up " + paths.idmapdb +"\n");
+       setup_ldb("idmap_init.ldif", info, paths.idmapdb);
  
         message("Setting up sam.ldb partitions\n");
         /* Also wipes the database */
  
         message("Setting up sam.ldb partitions\n");
         /* Also wipes the database */
@@ -499,73 +691,123 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda
  
         message("Setting up sam.ldb attributes\n");
         setup_add_ldif("provision_init.ldif", info, samdb, false);
  
         message("Setting up sam.ldb attributes\n");
         setup_add_ldif("provision_init.ldif", info, samdb, false);
+
+       message("Setting up sam.ldb rootDSE\n");
+       setup_add_ldif("provision_rootdse_add.ldif", info, samdb, false);
+
         message("Erasing data from partitions\n");
         ldb_erase_partitions(info, samdb, ldapbackend);
         
         message("Erasing data from partitions\n");
         ldb_erase_partitions(info, samdb, ldapbackend);
         
-       message("Adding baseDN: " + subobj.BASEDN + " (permitted to fail)\n");
+       // (hack) Reload, now we have the partitions and rootdse loaded.  
+       var commit_ok = samdb.transaction_commit();
+       if (!commit_ok) {
+               info.message("samdb commit failed: " + samdb.errstring() + "\n");
+               assert(commit_ok);
+       }
+       samdb.close();
+
+       message("Pre-loading the Samba4 and AD schema\n");
+       
+       samdb = open_ldb(info, paths.samdb, false);
+
+       samdb.set_domain_sid(subobj.DOMAINSID);
+
+       if (strlower(subobj.SERVERROLE) == strlower("domain controller")) {
+               if (subobj.INVOCATIONID == undefined) {
+                       subobj.INVOCATIONID = randguid();
+               }
+               samdb.set_ntds_invocationId(subobj.INVOCATIONID);
+               if (subobj.BACKEND_MOD == undefined) {
+                       subobj.BACKEND_MOD = "repl_meta_data";
+               }
+       } else {
+               if (subobj.BACKEND_MOD == undefined) {
+                       subobj.BACKEND_MOD = "objectguid";
+               }
+       }
+
+       var load_schema_ok = load_schema(subobj, message, samdb);
+       assert(load_schema_ok.is_ok);
+
+       message("Adding DomainDN: " + subobj.DOMAINDN + " (permitted to fail)\n");
         var add_ok = setup_add_ldif("provision_basedn.ldif", info, samdb, true);
         var add_ok = setup_add_ldif("provision_basedn.ldif", info, samdb, true);
-       message("Modifying baseDN: " + subobj.BASEDN + "\n");
-       var modify_ok = setup_ldb_modify("provision_basedn_modify.ldif", info, samdb);
-       if (!modify_ok) {
+       message("Modifying DomainDN: " + subobj.DOMAINDN + "\n");
+       var modify_basedn_ok = setup_ldb_modify("provision_basedn_modify.ldif", info, samdb);
+       if (!modify_basedn_ok) {
                 if (!add_ok) {
                 if (!add_ok) {
-                       message("Failed to both add and modify " + subobj.BASEDN + " in target " + subobj.LDAPBACKEND + "\n");
+                       message("%s", "Failed to both add and modify " + subobj.DOMAINDN + " in target " + subobj.DOMAINDN_LDB + ": " + samdb.errstring() + "\n");
                         message("Perhaps you need to run the provision script with the --ldap-base-dn option, and add this record to the backend manually\n"); 
                 };
                         message("Perhaps you need to run the provision script with the --ldap-base-dn option, and add this record to the backend manually\n"); 
                 };
-               assert(modify_ok);
+               assert(modify_basedn_ok);
         };
  
         };
  
+       message("Adding configuration container (permitted to fail)\n");
+       var add_config_ok = setup_add_ldif("provision_configuration_basedn.ldif", info, samdb, true);
+       message("Modifying configuration container\n");
+       var modify_config_ok = setup_ldb_modify("provision_configuration_basedn_modify.ldif", info, samdb);
+       if (!modify_config_ok) {
+               if (!add_config_ok) {
+                       message("%s", "Failed to both add and modify " + subobj.CONFIGDN + " in target " + subobj.CONFIGDN_LDB + ": " + samdb.errstring() + "\n");
+                       message("Perhaps you need to run the provision script with the --ldap-base-dn option, and add this record to the backend manually\n"); 
+               }
+               assert(modify_config_ok);
+       }
+
+       message("Adding schema container (permitted to fail)\n");
+       var add_schema_ok = setup_add_ldif("provision_schema_basedn.ldif", info, samdb, true);
+       message("Modifying schema container\n");
+       var modify_schema_ok = setup_ldb_modify("provision_schema_basedn_modify.ldif", info, samdb);
+       if (!modify_schema_ok) {
+               if (!add_schema_ok) {
+                       message("%s", "Failed to both add and modify " + subobj.SCHEMADN + " in target " + subobj.SCHEMADN_LDB + ": " + samdb.errstring() + "\n");
+                       message("Perhaps you need to run the provision script with the --ldap-base-dn option, and add this record to the backend manually\n"); 
+               }
+               message("Failed to modify the schema container: " + samdb.errstring() + "\n");
+               assert(modify_schema_ok);
+       }
+
         message("Setting up sam.ldb Samba4 schema\n");
         setup_add_ldif("schema_samba4.ldif", info, samdb, false);
         message("Setting up sam.ldb AD schema\n");
         setup_add_ldif("schema.ldif", info, samdb, false);
  
         message("Setting up sam.ldb Samba4 schema\n");
         setup_add_ldif("schema_samba4.ldif", info, samdb, false);
         message("Setting up sam.ldb AD schema\n");
         setup_add_ldif("schema.ldif", info, samdb, false);
  
-       // (hack) Reload, now we have the schema loaded.  
-       var commit_ok = samdb.transaction_commit();
-       if (!commit_ok) {
-               info.message("samdb commit failed: " + samdb.errstring() + "\n");
-               assert(commit_ok);
-       }
-       samdb.close();
-
-       samdb = open_ldb(info, paths.samdb, false);
+       message("Setting up sam.ldb configuration data\n");
+       setup_add_ldif("provision_configuration.ldif", info, samdb, false);
  
         message("Setting up display specifiers\n");
         setup_add_ldif("display_specifiers.ldif", info, samdb, false);
  
         message("Setting up display specifiers\n");
         setup_add_ldif("display_specifiers.ldif", info, samdb, false);
-       message("Setting up sam.ldb templates\n");
-       setup_add_ldif("provision_templates.ldif", info, samdb, false);
  
         message("Adding users container (permitted to fail)\n");
  
         message("Adding users container (permitted to fail)\n");
-       var add_ok = setup_add_ldif("provision_users_add.ldif", info, samdb, true);
+       var add_users_ok = setup_add_ldif("provision_users_add.ldif", info, samdb, true);
         message("Modifying users container\n");
         message("Modifying users container\n");
-       var modify_ok = setup_ldb_modify("provision_help_users_mod.ldif", info, samdb);
-       if (!modify_ok) {
-               if (!add_ok) {
+       var modify_users_ok = setup_ldb_modify("provision_users_modify.ldif", info, samdb);
+       if (!modify_users_ok) {
+               if (!add_users_ok) {
                         message("Failed to both add and modify the users container\n");
                         message("Failed to both add and modify the users container\n");
-                       assert(modify_ok);
                 }
                 }
-               assert(modify_ok);
+               assert(modify_users_ok);
         }
         message("Adding computers container (permitted to fail)\n");
         }
         message("Adding computers container (permitted to fail)\n");
-       var add_ok = setup_add_ldif("provision_computers_add.ldif", info, samdb, true);
+       var add_computers_ok = setup_add_ldif("provision_computers_add.ldif", info, samdb, true);
         message("Modifying computers container\n");
         message("Modifying computers container\n");
-       var modify_ok = setup_ldb_modify("provision_computers_modify.ldif", info, samdb);
-       if (!modify_ok) {
-               if (!add_ok) {
+       var modify_computers_ok = setup_ldb_modify("provision_computers_modify.ldif", info, samdb);
+       if (!modify_computers_ok) {
+               if (!add_computers_ok) {
                         message("Failed to both add and modify the computers container\n");
                         message("Failed to both add and modify the computers container\n");
-                       assert(modify_ok);
                 }
                 }
-               assert(modify_ok);
+               assert(modify_computers_ok);
         }
  
         message("Setting up sam.ldb data\n");
         setup_add_ldif("provision.ldif", info, samdb, false);
         }
  
         message("Setting up sam.ldb data\n");
         setup_add_ldif("provision.ldif", info, samdb, false);
-       message("Setting up sam.ldb configuration data\n");
-       setup_add_ldif("provision_configuration.ldif", info, samdb, false);
  
         if (blank != false) {
                 message("Setting up sam.ldb index\n");
                 setup_add_ldif("provision_index.ldif", info, samdb, false);
  
  
         if (blank != false) {
                 message("Setting up sam.ldb index\n");
                 setup_add_ldif("provision_index.ldif", info, samdb, false);
  
+               message("Setting up sam.ldb rootDSE marking as syncronized\n");
+               setup_modify_ldif("provision_rootdse_modify.ldif", info, samdb, false);
+
                 var commit_ok = samdb.transaction_commit();
                 if (!commit_ok) {
                         info.message("ldb commit failed: " + samdb.errstring() + "\n");
                 var commit_ok = samdb.transaction_commit();
                 if (!commit_ok) {
                         info.message("ldb commit failed: " + samdb.errstring() + "\n");
@@ -590,6 +832,24 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda
         message("Setting up sam.ldb users and groups\n");
         setup_add_ldif("provision_users.ldif", info, samdb, false);
  
         message("Setting up sam.ldb users and groups\n");
         setup_add_ldif("provision_users.ldif", info, samdb, false);
  
+       if (strlower(subobj.SERVERROLE) == strlower("domain controller")) {
+               message("Setting up self join\n");
+               setup_add_ldif("provision_self_join.ldif", info, samdb, false);
+               setup_add_ldif("provision_group_policy.ldif", info, samdb, false);
+
+               sys.mkdir(paths.sysvol, 0755);
+               sys.mkdir(paths.sysvol + "/"+ subobj.DNSDOMAIN, 0755);
+               sys.mkdir(paths.sysvol + "/"+ subobj.DNSDOMAIN + "/Policies", 0755);
+               sys.mkdir(paths.sysvol + "/"+ subobj.DNSDOMAIN + "/Policies/{" + subobj.POLICYGUID + "}", 0755);
+               sys.mkdir(paths.sysvol + "/"+ subobj.DNSDOMAIN + "/Policies/{" + subobj.POLICYGUID + "}/Machine", 0755);
+               sys.mkdir(paths.sysvol + "/"+ subobj.DNSDOMAIN + "/Policies/{" + subobj.POLICYGUID + "}/User", 0755);
+
+               sys.mkdir(paths.netlogon, 0755);
+
+               setup_ldb("secrets_dc.ldif", info, paths.secrets, false);
+
+       }
+
         if (setup_name_mappings(info, samdb) == false) {
                 return false;
         }
         if (setup_name_mappings(info, samdb) == false) {
                 return false;
         }
@@ -597,18 +857,83 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda
         message("Setting up sam.ldb index\n");
         setup_add_ldif("provision_index.ldif", info, samdb, false);
  
         message("Setting up sam.ldb index\n");
         setup_add_ldif("provision_index.ldif", info, samdb, false);
  
+       message("Setting up sam.ldb rootDSE marking as syncronized\n");
+       setup_modify_ldif("provision_rootdse_modify.ldif", info, samdb, false);
+
         var commit_ok = samdb.transaction_commit();
         if (!commit_ok) {
                 info.message("samdb commit failed: " + samdb.errstring() + "\n");
                 assert(commit_ok);
         }
  
         var commit_ok = samdb.transaction_commit();
         if (!commit_ok) {
                 info.message("samdb commit failed: " + samdb.errstring() + "\n");
                 assert(commit_ok);
         }
  
+       message("Setting up phpLDAPadmin configuration\n");
+       setup_file("phpldapadmin-config.php", info.message, paths.phpldapadminconfig, subobj);
+       message("Please install the phpLDAPadmin configuration located at " + paths.phpldapadminconfig + " into /etc/phpldapadmin/config.php\n");
+
         return true;
  }
  
         return true;
  }
  
+/*
+  provision just the schema into a temporary ldb, so we can run ad2oLschema on it
+*/
+function provision_schema(subobj, message, tmp_schema_path, paths)
+{
+       var lp = loadparm_init();
+       var sys = sys_init();
+       var info = new Object();
+
+       var ok = provision_fix_subobj(subobj, paths);
+       assert(ok);
+
+       info.subobj = subobj;
+       info.message = message;
+
+       message("Setting up sam.ldb partitions\n");
+
+       /* This will erase anything in the tmp db */
+       var samdb = open_ldb(info, tmp_schema_path, true);
+
+       message("Setting up sam.ldb attributes\n");
+       setup_add_ldif("provision_init.ldif", info, samdb, false);
+
+       message("Setting up sam.ldb rootDSE\n");
+       setup_add_ldif("provision_rootdse_add.ldif", info, samdb, false);
+
+       message("Adding schema container (permitted to fail)\n");
+       var add_ok = setup_add_ldif("provision_schema_basedn.ldif", info, samdb, true);
+       message("Modifying schema container\n");
+       var modify_ok = setup_ldb_modify("provision_schema_basedn_modify.ldif", info, samdb);
+       if (!modify_ok) {
+               if (!add_ok) {
+                       message("Failed to both add and modify schema dn: " + samdb.errstring() + "\n");
+                       message("Perhaps you need to run the provision script with the --ldap-base-dn option, and add this record to the backend manually\n"); 
+                       assert(modify_ok);
+               }
+               message("Failed to modify the schema container: " + samdb.errstring() + "\n");
+               assert(modify_ok);
+       }
+
+       message("Setting up sam.ldb Samba4 schema\n");
+       setup_add_ldif("schema_samba4.ldif", info, samdb, false);
+       message("Setting up sam.ldb AD schema\n");
+       setup_add_ldif("schema.ldif", info, samdb, false);
+
+       var commit_ok = samdb.transaction_commit();
+       if (!commit_ok) {
+               info.message("samdb commit failed: " + samdb.errstring() + "\n");
+               assert(commit_ok);
+       }
+       samdb.close();
+}
+
  /* Write out a DNS zone file, from the info in the current database */
  function provision_dns(subobj, message, paths, session_info, credentials)
  {
  /* Write out a DNS zone file, from the info in the current database */
  function provision_dns(subobj, message, paths, session_info, credentials)
  {
+       var lp = loadparm_init();
+       if (strlower(subobj.SERVERROLE) != strlower("domain controller")) {
+               message("No DNS zone required for role %s\n", subobj.SERVERROLE);
+               return;
+       }
         message("Setting up DNS zone: " + subobj.DNSDOMAIN + " \n");
         var ldb = ldb_init();
         ldb.session_info = session_info;
         message("Setting up DNS zone: " + subobj.DNSDOMAIN + " \n");
         var ldb = ldb_init();
         ldb.session_info = session_info;
@@ -622,35 +947,24 @@ function provision_dns(subobj, message, paths, session_info, credentials)
             or may not have been specified, so fetch them from the database */
  
         var attrs = new Array("objectGUID");
             or may not have been specified, so fetch them from the database */
  
         var attrs = new Array("objectGUID");
-       res = ldb.search("objectGUID=*", subobj.BASEDN, ldb.SCOPE_BASE, attrs);
-       assert(res.length == 1);
-       assert(res[0].objectGUID != undefined);
-       subobj.DOMAINGUID = res[0].objectGUID;
+       res = ldb.search("objectGUID=*", subobj.DOMAINDN, ldb.SCOPE_BASE, attrs);
+       assert(res.error == 0);
+       assert(res.msgs.length == 1);
+       assert(res.msgs[0].objectGUID != undefined);
+       subobj.DOMAINGUID = res.msgs[0].objectGUID;
  
  
-       subobj.HOSTGUID = searchone(ldb, subobj.BASEDN, "(&(objectClass=computer)(cn=" + subobj.NETBIOSNAME + "))", "objectGUID");
+       subobj.HOSTGUID = searchone(ldb, subobj.DOMAINDN, "(&(objectClass=computer)(cn=" + subobj.NETBIOSNAME + "))", "objectGUID");
         assert(subobj.HOSTGUID != undefined);
  
         setup_file("provision.zone", 
                    message, paths.dns, 
                    subobj);
  
         assert(subobj.HOSTGUID != undefined);
  
         setup_file("provision.zone", 
                    message, paths.dns, 
                    subobj);
  
-       message("Please install the zone located in " + paths.dns + " into your DNS server\n");
-}
-
-/* Write out a DNS zone file, from the info in the current database */
-function provision_ldapbase(subobj, message, paths)
-{
-       message("Setting up LDAP base entry: " + subobj.BASEDN + " \n");
-       var rdns = split(",", subobj.BASEDN);
-       subobj.EXTENSIBLEOBJECT = "objectClass: extensibleObject";
-
-       subobj.RDN_DC = substr(rdns[0], strlen("DC="));
-
-       setup_file("provision_basedn.ldif", 
-                  message, paths.ldap_basedn_ldif, 
+       setup_file("named.conf", 
+                  message, paths.named_conf, 
                    subobj);
  
                    subobj);
  
-       message("Please install the LDIF located in " + paths.ldap_basedn_ldif + " into your LDAP server, and re-run with --ldap-backend=ldap://my.ldap.server\n");
+       message("Please install the zone located in " + paths.dns + " into your DNS server.  A sample BIND configuration snippit is at " + paths.named_conf + "\n");
  }
  
  
  }
  
  
@@ -665,6 +979,7 @@ function provision_guess()
         var rdn_list;
         random_init(local);
  
         var rdn_list;
         random_init(local);
  
+       subobj.SERVERROLE   = strlower(lp.get("server role"));
         subobj.REALM        = strupper(lp.get("realm"));
         subobj.DOMAIN       = lp.get("workgroup");
         subobj.HOSTNAME     = hostname();
         subobj.REALM        = strupper(lp.get("realm"));
         subobj.DOMAIN       = lp.get("workgroup");
         subobj.HOSTNAME     = hostname();
@@ -676,14 +991,13 @@ function provision_guess()
         subobj.VERSION      = version();
         subobj.HOSTIP       = hostip();
         subobj.DOMAINSID    = randsid();
         subobj.VERSION      = version();
         subobj.HOSTIP       = hostip();
         subobj.DOMAINSID    = randsid();
-       subobj.INVOCATIONID = randguid();
+       subobj.POLICYGUID   = randguid();
         subobj.KRBTGTPASS   = randpass(12);
         subobj.MACHINEPASS  = randpass(12);
         subobj.KRBTGTPASS   = randpass(12);
         subobj.MACHINEPASS  = randpass(12);
+       subobj.DNSPASS  = randpass(12);
         subobj.ADMINPASS    = randpass(12);
         subobj.ADMINPASS    = randpass(12);
+       subobj.LDAPMANAGERPASS     = randpass(12);
         subobj.DEFAULTSITE  = "Default-First-Site-Name";
         subobj.DEFAULTSITE  = "Default-First-Site-Name";
-       subobj.NEWGUID      = randguid;
-       subobj.NTTIME       = nttime;
-       subobj.LDAPTIME     = ldaptime;
         subobj.DATESTRING   = datestring;
         subobj.ROOT         = findnss(nss.getpwnam, "root");
         subobj.NOBODY       = findnss(nss.getpwnam, "nobody");
         subobj.DATESTRING   = datestring;
         subobj.ROOT         = findnss(nss.getpwnam, "root");
         subobj.NOBODY       = findnss(nss.getpwnam, "nobody");
@@ -691,15 +1005,46 @@ function provision_guess()
         subobj.WHEEL        = findnss(nss.getgrnam, "wheel", "root", "staff", "adm");
         subobj.BACKUP       = findnss(nss.getgrnam, "backup", "wheel", "root", "staff");
         subobj.USERS        = findnss(nss.getgrnam, "users", "guest", "other", "unknown", "usr");
         subobj.WHEEL        = findnss(nss.getgrnam, "wheel", "root", "staff", "adm");
         subobj.BACKUP       = findnss(nss.getgrnam, "backup", "wheel", "root", "staff");
         subobj.USERS        = findnss(nss.getgrnam, "users", "guest", "other", "unknown", "usr");
-       subobj.DNSDOMAIN    = strlower(subobj.REALM);
-       subobj.DNSNAME      = sprintf("%s.%s", 
-                                     strlower(subobj.HOSTNAME), 
-                                     subobj.DNSDOMAIN);
-       rdn_list = split(".", subobj.DNSDOMAIN);
-       subobj.BASEDN       = "DC=" + join(",DC=", rdn_list);
-       subobj.LDAPBACKEND  = "users.ldb";
-       subobj.LDAPMODULES = "objectguid";
-       subobj.EXTENSIBLEOBJECT = "# no objectClass: extensibleObject for local ldb";
+
+       //Add modules to the list to activate them by default
+       //beware often order is important
+       //
+       // Some Known ordering constraints:
+       // - rootdse must be first, as it makes redirects from "" -> cn=rootdse
+       // - objectclass must be before password_hash, because password_hash checks
+       //   that the objectclass is of type person (filled in by the objectclass 
+       //   module when expanding the objectclass list)
+       // - partition must be last
+       // - each partition has its own module list then
+       var modules_list     = new Array("rootdse",
+                                        "paged_results",
+                                        "ranged_results",
+                                        "anr",
+                                        "server_sort",
+                                        "extended_dn",
+                                        "asq",
+                                        "samldb",
+                                        "rdn_name",
+                                        "objectclass",
+                                        "kludge_acl",
+                                        "operational");
+       var tdb_modules_list = new Array("subtree_rename",
+                                        "subtree_delete",
+                                        "linked_attributes");
+       var modules_list2    = new Array("show_deleted",
+                                        "partition");
+       subobj.MODULES_LIST = join(",", modules_list);
+       subobj.TDB_MODULES_LIST = "," + join(",", tdb_modules_list);
+       subobj.MODULES_LIST2 = join(",", modules_list2);
+       subobj.DOMAINDN_LDB = "users.ldb";
+       subobj.CONFIGDN_LDB = "configuration.ldb";
+       subobj.SCHEMADN_LDB = "schema.ldb";
+       subobj.DOMAINDN_MOD = "pdc_fsmo,password_hash,instancetype";
+       subobj.CONFIGDN_MOD = "naming_fsmo,instancetype";
+       subobj.SCHEMADN_MOD = "schema_fsmo,instancetype";
+
+       subobj.ACI              = "# no aci for local ldb";
+
         return subobj;
  }
  
         return subobj;
  }
  
@@ -710,11 +1055,12 @@ function searchone(ldb, basedn, expression, attribute)
  {
         var attrs = new Array(attribute);
         res = ldb.search(expression, basedn, ldb.SCOPE_SUBTREE, attrs);
  {
         var attrs = new Array(attribute);
         res = ldb.search(expression, basedn, ldb.SCOPE_SUBTREE, attrs);
-       if (res.length != 1 ||
-           res[0][attribute] == undefined) {
+       if (res.error != 0 ||
+           res.msgs.length != 1 ||
+           res.msgs[0][attribute] == undefined) {
                 return undefined;
         }
                 return undefined;
         }
-       return res[0][attribute];
+       return res.msgs[0][attribute];
  }
  
  /*
  }
  
  /*
@@ -724,8 +1070,9 @@ function enable_account(ldb, user_dn)
  {
         var attrs = new Array("userAccountControl");
         var res = ldb.search(NULL, user_dn, ldb.SCOPE_ONELEVEL, attrs);
  {
         var attrs = new Array("userAccountControl");
         var res = ldb.search(NULL, user_dn, ldb.SCOPE_ONELEVEL, attrs);
-       assert(res.length == 1);
-       var userAccountControl = res[0].userAccountControl;
+       assert(res.error == 0);
+       assert(res.msgs.length == 1);
+       var userAccountControl = res.msgs[0].userAccountControl;
         userAccountControl = userAccountControl - 2; /* remove disabled bit */
         var mod = sprintf("
  dn: %s
         userAccountControl = userAccountControl - 2; /* remove disabled bit */
         var mod = sprintf("
  dn: %s
@@ -735,7 +1082,7 @@ userAccountControl: %u
  ", 
                           user_dn, userAccountControl);
         var ok = ldb.modify(mod);
  ", 
                           user_dn, userAccountControl);
         var ok = ldb.modify(mod);
-       return ok;      
+       return (ok.error == 0); 
  }
  
  
  }
  
  
@@ -760,8 +1107,9 @@ function newuser(username, unixname, password, message, session_info, credential
         /* find the DNs for the domain and the domain users group */
         var attrs = new Array("defaultNamingContext");
         res = ldb.search("defaultNamingContext=*", "", ldb.SCOPE_BASE, attrs);
         /* find the DNs for the domain and the domain users group */
         var attrs = new Array("defaultNamingContext");
         res = ldb.search("defaultNamingContext=*", "", ldb.SCOPE_BASE, attrs);
-       assert(res.length == 1 && res[0].defaultNamingContext != undefined);
-       var domain_dn = res[0].defaultNamingContext;
+       assert(res.error == 0);
+       assert(res.msgs.length == 1 && res.msgs[0].defaultNamingContext != undefined);
+       var domain_dn = res.msgs[0].defaultNamingContext;
         assert(domain_dn != undefined);
         var dom_users = searchone(ldb, domain_dn, "name=Domain Users", "dn");
         assert(dom_users != undefined);
         assert(domain_dn != undefined);
         var dom_users = searchone(ldb, domain_dn, "name=Domain Users", "dn");
         assert(dom_users != undefined);
@@ -776,12 +1124,11 @@ function newuser(username, unixname, password, message, session_info, credential
         var ldif = sprintf("
  dn: %s
  sAMAccountName: %s
         var ldif = sprintf("
  dn: %s
  sAMAccountName: %s
-memberOf: %s
  unixName: %s
  sambaPassword: %s
  objectClass: user
  ",
  unixName: %s
  sambaPassword: %s
  objectClass: user
  ",
-                          user_dn, username, dom_users,
+                          user_dn, username,
                            unixname, password);
         /*
           add the user to the users group as well
                            unixname, password);
         /*
           add the user to the users group as well
@@ -791,7 +1138,7 @@ dn: %s
  changetype: modify
  add: member
  member: %s
  changetype: modify
  add: member
  member: %s
-", 
+",
                                dom_users, user_dn);
  
  
                                dom_users, user_dn);
  
  
@@ -800,15 +1147,15 @@ member: %s
         */
         message("Adding user %s\n", user_dn);
         ok = ldb.add(ldif);
         */
         message("Adding user %s\n", user_dn);
         ok = ldb.add(ldif);
-       if (ok != true) {
-               message("Failed to add %s - %s\n", user_dn, ldb.errstring());
+       if (ok.error != 0) {
+               message("Failed to add %s - %s\n", user_dn, ok.errstr);
                 return false;
         }
  
         message("Modifying group %s\n", dom_users);
         ok = ldb.modify(modgroup);
                 return false;
         }
  
         message("Modifying group %s\n", dom_users);
         ok = ldb.modify(modgroup);
-       if (ok != true) {
-               message("Failed to modify %s - %s\n", dom_users, ldb.errstring());
+       if (ok.error != 0) {
+               message("Failed to modify %s - %s\n", dom_users, ok.errstr);
                 return false;
         }
  
                 return false;
         }
  
@@ -827,7 +1174,7 @@ member: %s
  // crh has a paragraph on this in his book (1.4.1.1)
  function valid_netbios_name(name)
  {
  // crh has a paragraph on this in his book (1.4.1.1)
  function valid_netbios_name(name)
  {
-       if (strlen(name) > 13) return false;
+       if (strlen(name) > 15) return false;
         return true;
  }
  
         return true;
  }
  
@@ -846,15 +1193,21 @@ function provision_validate(subobj, message)
         }
  
  
         }
  
  
-       if (strupper(lp.get("workgroup")) != strupper(subobj.DOMAIN)) {
+       if (strupper(lp.get("workgroup")) != strupper(subobj.DOMAIN_CONF)) {
                 message("workgroup '%s' in smb.conf must match chosen domain '%s'\n",
                 message("workgroup '%s' in smb.conf must match chosen domain '%s'\n",
-                       lp.get("workgroup"), subobj.DOMAIN);
+                       lp.get("workgroup"), subobj.DOMAIN_CONF);
                 return false;
         }
  
                 return false;
         }
  
-       if (strupper(lp.get("realm")) != strupper(subobj.REALM)) {
+       if (strupper(lp.get("realm")) != strupper(subobj.REALM_CONF)) {
                 message("realm '%s' in smb.conf must match chosen realm '%s'\n",
                 message("realm '%s' in smb.conf must match chosen realm '%s'\n",
-                       lp.get("realm"), subobj.REALM);
+                       lp.get("realm"), subobj.REALM_CONF);
+               return false;
+       }
+
+       if (strlower(lp.get("server role")) != strlower(subobj.SERVERROLE)) {
+               message("server role '%s' in smb.conf must match chosen role '%s'\n",
+                       lp.get("server role"), subobj.SERVERROLE);
                 return false;
         }
  
                 return false;
         }