summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2013-01-23 16:27:17 +0100
committerAndrew Bartlett <abartlet@samba.org>2013-01-27 20:14:21 +1100
commita477649e568577875be577c70a6b25cbeea6985a (patch)
treef9fafa600be23bf649c008df5ac9ad5eafd346e2
parent1de5c2f78544385d2fe270d766fc1ca6726d71fb (diff)
downloadsamba-a477649e568577875be577c70a6b25cbeea6985a.tar.gz
samba-a477649e568577875be577c70a6b25cbeea6985a.tar.bz2
samba-a477649e568577875be577c70a6b25cbeea6985a.zip
provision: fix nTSecurityDescriptor attributes of CN=*,${CONFIGDN} (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r--source4/scripting/python/samba/provision/__init__.py21
-rw-r--r--source4/setup/provision_configuration.ldif6
-rw-r--r--source4/setup/provision_configuration_modify.ldif6
-rw-r--r--source4/setup/provision_well_known_sec_princ.ldif1
4 files changed, 34 insertions, 0 deletions
diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py
index cd29e0c95c..8f4928ce2b 100644
--- a/source4/scripting/python/samba/provision/__init__.py
+++ b/source4/scripting/python/samba/provision/__init__.py
@@ -1298,8 +1298,14 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
# If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
if fill == FILL_FULL:
logger.info("Setting up sam.ldb configuration data")
+
partitions_descr = b64encode(get_config_partitions_descriptor(domainsid))
sites_descr = b64encode(get_config_sites_descriptor(domainsid))
+ ntdsquotas_descr = b64encode(get_config_ntds_quotas_descriptor(domainsid))
+ protected1_descr = b64encode(get_config_delete_protected1_descriptor(domainsid))
+ protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(domainsid))
+ protected2_descr = b64encode(get_config_delete_protected2_descriptor(domainsid))
+
setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), {
"CONFIGDN": names.configdn,
"NETBIOSNAME": names.netbiosname,
@@ -1311,6 +1317,12 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
"SERVERDN": names.serverdn,
"FOREST_FUNCTIONALITY": str(forestFunctionality),
"DOMAIN_FUNCTIONALITY": str(domainFunctionality),
+ "NTDSQUOTAS_DESCRIPTOR": ntdsquotas_descr,
+ "LOSTANDFOUND_DESCRIPTOR": protected1wd_descr,
+ "SERVICES_DESCRIPTOR": protected1_descr,
+ "PHYSICALLOCATIONS_DESCRIPTOR": protected1wd_descr,
+ "FORESTUPDATES_DESCRIPTOR": protected1wd_descr,
+ "EXTENDEDRIGHTS_DESCRIPTOR": protected2_descr,
"PARTITIONS_DESCRIPTOR": partitions_descr,
"SITES_DESCRIPTOR": sites_descr,
})
@@ -1323,6 +1335,13 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
check_all_substituted(display_specifiers_ldif)
samdb.add_ldif(display_specifiers_ldif)
+ logger.info("Modifying display specifiers")
+ setup_modify_ldif(samdb,
+ setup_path("provision_configuration_modify.ldif"), {
+ "CONFIGDN": names.configdn,
+ "DISPLAYSPECIFIERS_DESCRIPTOR": protected2_descr
+ })
+
logger.info("Adding users container")
users_desc = b64encode(get_domain_users_descriptor(domainsid))
setup_add_ldif(samdb, setup_path("provision_users_add.ldif"), {
@@ -1372,8 +1391,10 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
"SCHEMADN": names.schemadn})
logger.info("Setting up well known security principals")
+ protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(domainsid))
setup_add_ldif(samdb, setup_path("provision_well_known_sec_princ.ldif"), {
"CONFIGDN": names.configdn,
+ "WELLKNOWNPRINCIPALS_DESCRIPTOR": protected1wd_descr,
})
if fill == FILL_FULL or fill == FILL_SUBDOMAIN:
diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif
index 1d818ef95c..42de84afad 100644
--- a/source4/setup/provision_configuration.ldif
+++ b/source4/setup/provision_configuration.ldif
@@ -21,6 +21,7 @@ dn: CN=Extended-Rights,${CONFIGDN}
objectClass: top
objectClass: container
systemFlags: -2147483648
+nTSecurityDescriptor:: ${EXTENDEDRIGHTS_DESCRIPTOR}
dn: CN=Change-Rid-Master,CN=Extended-Rights,${CONFIGDN}
objectClass: top
@@ -706,6 +707,7 @@ validAccesses: 48
dn: CN=ForestUpdates,${CONFIGDN}
objectClass: top
objectClass: container
+nTSecurityDescriptor:: ${FORESTUPDATES_DESCRIPTOR}
dn: CN=ActiveDirectoryRodcUpdate,CN=ForestUpdates,${CONFIGDN}
objectClass: top
@@ -1001,6 +1003,7 @@ dn: CN=LostAndFoundConfig,${CONFIGDN}
objectClass: top
objectClass: lostAndFound
systemFlags: -2147483648
+nTSecurityDescriptor:: ${LOSTANDFOUND_DESCRIPTOR}
dn: CN=NTDS Quotas,${CONFIGDN}
objectClass: top
@@ -1009,6 +1012,7 @@ description: Quota specifications container
isCriticalSystemObject: TRUE
msDS-TombstoneQuotaFactor: 100
systemFlags: -2147483648
+nTSecurityDescriptor:: ${NTDSQUOTAS_DESCRIPTOR}
# Partitions
@@ -1053,6 +1057,7 @@ objectClass: top
objectClass: locality
objectClass: physicalLocation
l: Physical Locations tree root
+nTSecurityDescriptor:: ${PHYSICALLOCATIONS_DESCRIPTOR}
# Schema located in "ad-schema/*.txt"
@@ -1062,6 +1067,7 @@ dn: CN=Services,${CONFIGDN}
objectClass: top
objectClass: container
systemFlags: -2147483648
+nTSecurityDescriptor:: ${SERVICES_DESCRIPTOR}
dn: CN=MsmqServices,CN=Services,${CONFIGDN}
objectClass: top
diff --git a/source4/setup/provision_configuration_modify.ldif b/source4/setup/provision_configuration_modify.ldif
new file mode 100644
index 0000000000..6840604f67
--- /dev/null
+++ b/source4/setup/provision_configuration_modify.ldif
@@ -0,0 +1,6 @@
+dn: CN=DisplaySpecifiers,${CONFIGDN}
+changetype: modify
+-
+replace: nTSecurityDescriptor
+nTSecurityDescriptor:: ${DISPLAYSPECIFIERS_DESCRIPTOR}
+-
diff --git a/source4/setup/provision_well_known_sec_princ.ldif b/source4/setup/provision_well_known_sec_princ.ldif
index 54691bd796..1817382a69 100644
--- a/source4/setup/provision_well_known_sec_princ.ldif
+++ b/source4/setup/provision_well_known_sec_princ.ldif
@@ -4,6 +4,7 @@ dn: CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: container
systemFlags: -2147483648
+nTSecurityDescriptor:: ${WELLKNOWNPRINCIPALS_DESCRIPTOR}
dn: CN=Anonymous Logon,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top