summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2010-06-25 11:11:56 +0200
committerStefan Metzmacher <metze@samba.org>2010-06-26 09:50:54 +0200
commit712a149802e9613f105861e838a29bb226e62e02 (patch)
treee50278f97e9c49df7a8d01bc6875485aeae3ca75
parent89f94a43d89c9c0238f7b1d3d294175f8482adf9 (diff)
downloadsamba-712a149802e9613f105861e838a29bb226e62e02.tar.gz
samba-712a149802e9613f105861e838a29bb226e62e02.tar.bz2
samba-712a149802e9613f105861e838a29bb226e62e02.zip
s4:provision: don't use hardcoded values for 'nextRid' and 'rIDAvailablePool'
On Windows dcpromo imports nextRid from the local SAM, which means it's not hardcoded to 1000. The initlal rIDAvailablePool starts at nextRid + 100. I also found that the RID Set of the local dc should be created via provision and not at runtime, when the first rid is needed. (Tested with dcpromo on w2k8r2, while disabling the DNS check box). After provision we should have this (assuming nextRid=1000): rIDAllocationPool: 1100-1599 rIDPrevAllocationPool: 1100-1599 rIDUsedPool: 0 rIDNextRID: 1100 rIDAvailablePool: 1600-1073741823 Because provision sets rIDNextRid=1100, the first created account (typically DNS related accounts) will get 1101 as rid! metze
-rw-r--r--source4/scripting/python/samba/provision.py14
-rw-r--r--source4/setup/provision.ldif2
-rw-r--r--source4/setup/provision_basedn_modify.ldif2
-rw-r--r--source4/setup/provision_self_join.ldif2
-rw-r--r--source4/setup/provision_self_join_modify.ldif10
5 files changed, 24 insertions, 6 deletions
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index f48795d363..808a39db1f 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -868,7 +868,7 @@ def setup_samdb_rootdse(samdb, setup_path, names):
def setup_self_join(samdb, names,
machinepass, dnspass,
- domainsid, invocationid, setup_path,
+ domainsid, next_rid, invocationid, setup_path,
policyguid, policyguid_dc, domainControllerFunctionality,
ntdsguid):
"""Join a host to its own domain."""
@@ -890,6 +890,7 @@ def setup_self_join(samdb, names,
"REALM": names.realm,
"DOMAIN": names.domain,
"DOMAINSID": str(domainsid),
+ "DCRID": str(next_rid),
"DNSDOMAIN": names.dnsdomain,
"SAMBA_VERSION_STRING": version,
"NTDSGUID": ntdsguid_line,
@@ -920,6 +921,8 @@ def setup_self_join(samdb, names,
"NETBIOSNAME": names.netbiosname,
"NTDSGUID": names.ntdsguid,
"DNSPASS_B64": b64encode(dnspass),
+ "RIDALLOCATIONSTART": str(next_rid + 100),
+ "RIDALLOCATIONEND": str(next_rid + 100 + 499),
})
def getpolicypath(sysvolpath, dnsdomain, guid):
@@ -947,7 +950,8 @@ def setup_gpo(sysvolpath, dnsdomain, policyguid, policyguid_dc):
def setup_samdb(path, setup_path, session_info, provision_backend, lp, names,
logger, domainsid, domainguid, policyguid, policyguid_dc, fill,
adminpass, krbtgtpass, machinepass, invocationid, dnspass, ntdsguid,
- serverrole, am_rodc=False, dom_for_fun_level=None, schema=None):
+ serverrole, am_rodc=False, dom_for_fun_level=None, schema=None,
+ next_rid=1000):
"""Setup a complete SAM Database.
:note: This will wipe the main SAM database file!
@@ -1027,6 +1031,7 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, names,
setup_modify_ldif(samdb, setup_path("provision_basedn_modify.ldif"), {
"CREATTIME": str(int(time.time() * 1e7)), # seconds -> ticks
"DOMAINSID": str(domainsid),
+ "NEXTRID": str(next_rid),
"SCHEMADN": names.schemadn,
"NETBIOSNAME": names.netbiosname,
"DEFAULTSITE": names.sitename,
@@ -1109,6 +1114,7 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, names,
"DEFAULTSITE": names.sitename,
"CONFIGDN": names.configdn,
"SERVERDN": names.serverdn,
+ "RIDAVAILABLESTART": str(next_rid + 600),
"POLICYGUID_DC": policyguid_dc
})
@@ -1132,7 +1138,9 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, names,
setup_self_join(samdb, names=names, invocationid=invocationid,
dnspass=dnspass,
machinepass=machinepass,
- domainsid=domainsid, policyguid=policyguid,
+ domainsid=domainsid,
+ next_rid=next_rid,
+ policyguid=policyguid,
policyguid_dc=policyguid_dc,
setup_path=setup_path,
domainControllerFunctionality=domainControllerFunctionality,
diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif
index 7ba3183c94..2159aeff98 100644
--- a/source4/setup/provision.ldif
+++ b/source4/setup/provision.ldif
@@ -809,7 +809,7 @@ dn: CN=RID Manager$,CN=System,${DOMAINDN}
objectClass: top
objectClass: rIDManager
systemFlags: -1946157056
-rIDAvailablePool: 1001-1073741823
+rIDAvailablePool: ${RIDAVAILABLESTART}-1073741823
isCriticalSystemObject: TRUE
dn: CN=RpcServices,CN=System,${DOMAINDN}
diff --git a/source4/setup/provision_basedn_modify.ldif b/source4/setup/provision_basedn_modify.ldif
index 1d5345c60e..b4f3016770 100644
--- a/source4/setup/provision_basedn_modify.ldif
+++ b/source4/setup/provision_basedn_modify.ldif
@@ -68,7 +68,7 @@ replace: msDS-PerUserTrustTombstonesQuota
msDS-PerUserTrustTombstonesQuota: 10
-
replace: nextRid
-nextRid: 1000
+nextRid: ${NEXTRID}
-
replace: nTMixedDomain
nTMixedDomain: 0
diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif
index d4d06f6e63..2530a0e788 100644
--- a/source4/setup/provision_self_join.ldif
+++ b/source4/setup/provision_self_join.ldif
@@ -32,7 +32,7 @@ servicePrincipalName: ldap/${DNSNAME}
servicePrincipalName: ldap/${DNSNAME}/${REALM}
userAccountControl: 532480
userPassword:: ${MACHINEPASS_B64}
-objectSID: ${DOMAINSID}-1000
+objectSID: ${DOMAINSID}-${DCRID}
# Here are missing the objects for the NTFRS subscription since we don't
# support this technique yet.
diff --git a/source4/setup/provision_self_join_modify.ldif b/source4/setup/provision_self_join_modify.ldif
index f81a2b69c7..c2bba888b7 100644
--- a/source4/setup/provision_self_join_modify.ldif
+++ b/source4/setup/provision_self_join_modify.ldif
@@ -28,11 +28,21 @@ changetype: modify
replace: interSiteTopologyGenerator
interSiteTopologyGenerator: CN=NTDS Settings,${SERVERDN}
+dn: CN=RID Set,CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
+changetype: add
+objectClass: rIDSet
+rIDAllocationPool: ${RIDALLOCATIONSTART}-${RIDALLOCATIONEND}
+rIDPreviousAllocationPool: ${RIDALLOCATIONSTART}-${RIDALLOCATIONEND}
+rIDUsedPool: 0
+rIDNextRID: ${RIDALLOCATIONSTART}
+
dn: CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
changetype: modify
add: servicePrincipalName
servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/${NTDSGUID}/${DNSDOMAIN}
servicePrincipalName: ldap/${NTDSGUID}._msdcs.${DNSDOMAIN}
+add: rIDSetReferences
+rIDSetReferences: CN=RID Set,CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
# NOTE: This account is SAMBA4 specific!
dn: CN=dns,CN=Users,${DOMAINDN}