diff options
author | Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de> | 2009-09-17 21:19:24 +0200 |
---|---|---|
committer | Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de> | 2009-09-17 21:19:24 +0200 |
commit | fa4023d6f73920765aa5fdbcdd6fd934782258cf (patch) | |
tree | d62c65fce9f1f78084097b284b9a88717253d6a2 | |
parent | aadf5e391063c502ac4f234503106ed784b2af15 (diff) | |
download | samba-fa4023d6f73920765aa5fdbcdd6fd934782258cf.tar.gz samba-fa4023d6f73920765aa5fdbcdd6fd934782258cf.tar.bz2 samba-fa4023d6f73920765aa5fdbcdd6fd934782258cf.zip |
s4:provision - Some rework (continuation)
- Fix up "servicePrincipalNames" attributes on the DC object
- Add some informative comments (most in "provision_self_join.ldif")
- Add also comments where objects are missing which we may add later when we
support the feature (mainly for FRS)
- Add "domain updates" objects also under "CN=Configuration" (they exist twice)
- Add the default services under "Services" to allow interoperability with some
MS client tools
- Smaller changes
-rw-r--r-- | source4/scripting/python/samba/provision.py | 7 | ||||
-rw-r--r-- | source4/setup/provision.ldif | 15 | ||||
-rw-r--r-- | source4/setup/provision_configuration.ldif | 247 | ||||
-rw-r--r-- | source4/setup/provision_self_join.ldif | 82 |
4 files changed, 311 insertions, 40 deletions
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index 4840efcb63..ca9850304e 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -978,6 +978,7 @@ def setup_samdb(path, setup_path, session_info, credentials, lp, "DOMAINDN": names.domaindn}) message("Setting up sam.ldb data") setup_add_ldif(samdb, setup_path("provision.ldif"), { + "CREATTIME": str(int(time.time()) * 1e7), # seconds -> ticks "DOMAINDN": names.domaindn, "NETBIOSNAME": names.netbiosname, "DEFAULTSITE": names.sitename, @@ -1005,10 +1006,10 @@ def setup_samdb(path, setup_path, session_info, credentials, lp, policyguid_dc=policyguid_dc, setup_path=setup_path, domainControllerFunctionality=domainControllerFunctionality) - # add the NTDSGUID based SPNs + ntds_dn = "CN=NTDS Settings,CN=%s,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,%s" % (names.hostname, names.domaindn) - names.ntdsguid = samdb.searchone(basedn=ntds_dn, attribute="objectGUID", - expression="", scope=SCOPE_BASE) + names.ntdsguid = samdb.searchone(basedn=ntds_dn, + attribute="objectGUID", expression="", scope=SCOPE_BASE) assert isinstance(names.ntdsguid, str) except: diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif index 1690dc6c02..d46406e144 100644 --- a/source4/setup/provision.ldif +++ b/source4/setup/provision.ldif @@ -5,24 +5,25 @@ dn: CN=Builtin,${DOMAINDN} objectClass: top objectClass: builtinDomain +creationTime: ${CREATTIME} forceLogoff: -9223372036854775808 +isCriticalSystemObject: TRUE lockoutDuration: -18000000000 lockOutObservationWindow: -18000000000 lockoutThreshold: 0 maxPwdAge: -37108517437440 minPwdAge: 0 minPwdLength: 0 +modifiedCount: 1 modifiedCountAtLastProm: 0 nextRid: 1000 -pwdProperties: 0 -pwdHistoryLength: 0 objectSid: S-1-5-32 +pwdHistoryLength: 0 +pwdProperties: 0 serverState: 1 -uASCompat: 1 -modifiedCount: 1 -systemFlags: -1946157056 -isCriticalSystemObject: TRUE showInAdvancedViewOnly: FALSE +systemFlags: -1946157056 +uASCompat: 1 dn: CN=Deleted Objects,${DOMAINDN} objectClass: top @@ -366,6 +367,8 @@ objectClass: nTFRSSettings systemFlags: -1946157056 isCriticalSystemObject: TRUE +# Here are missing the FRS objects since we don't support this technique yet + dn: CN=FileLinks,CN=System,${DOMAINDN} objectClass: top objectClass: fileLinkTracking diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif index ac641da775..a7409966db 100644 --- a/source4/setup/provision_configuration.ldif +++ b/source4/setup/provision_configuration.ldif @@ -15,6 +15,8 @@ isDeleted: TRUE isCriticalSystemObject: TRUE systemFlags: -1946157056 +# Extended rights + dn: CN=Extended-Rights,${CONFIGDN} objectClass: top objectClass: container @@ -637,6 +639,8 @@ appliesTo: bf967a8f-0de6-11d0-a285-00aa003049e2 localizationDisplayId: 28 validAccesses: 256 +# Forest updates + dn: CN=ForestUpdates,${CONFIGDN} objectClass: top objectClass: container @@ -645,6 +649,154 @@ dn: CN=Operations,CN=ForestUpdates,${CONFIGDN} objectClass: top objectClass: container +dn: CN=6b800a81-affe-4a15-8e41-6ea0c7aa89e4,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=dd07182c-3174-4c95-902a-d64fee285bbf,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=ffa5ee3c-1405-476d-b344-7ad37d69cc25,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=099f1587-af70-49c6-ab6c-7b3e82be0fe2,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=94fdebc6-8eeb-4640-80de-ec52b9ca17fa,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=1a3f6b15-55f2-4752-ba27-3d38a8232c4d,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=dee21a17-4e8e-4f40-a58c-c0c009b685a7,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=9bd98bb4-4047-4de5-bf4c-7bd1d0f6d21d,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=3fe80fbf-bf39-4773-b5bd-3e5767a30d2d,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=f02915e2-9141-4f73-b8e7-2804662782da,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=39902c52-ef24-4b4b-8033-2c9dfdd173a2,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=20bf09b4-6d0b-4cd1-9c09-4231edf1209b,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=94f238bb-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=94f238bc-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=94f238bd-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=94f238be-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=94f238bf-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=94f238c0-831c-11d6-977b-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=eda27b47-e610-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=eda27b48-e610-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=eda27b49-e610-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=eda27b4a-e610-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=26d9c510-e61a-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=26d9c511-e61a-11d6-9793-00c04f613221,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=3467dae5-dedd-4648-9066-f48ac186b20a,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=33b7ee33-1386-47cf-baa1-b03e06473253,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=e9ee8d55-c2fb-4723-a333-c80ff4dfbf45,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=ccfae63a-7fb5-454c-83ab-0e8e1214974e,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=ad3c7909-b154-4c16-8bf7-2c3a7870bb3d,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=26ad2ebf-f8f5-44a4-b97c-a616c8b9d09a,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=4444c516-f43a-4c12-9c4b-b5c064941d61,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=436a1a4b-f41a-46e6-ac86-427720ef29f3,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=b2b7fb45-f50d-41bc-a73b-8f580f3b636a,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=1bdf6366-c3db-4d0b-b8cb-f99ba9bce20f,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=63c0f51a-067c-4640-8a4f-044fb33f1049,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=dae441c0-366e-482e-98d9-60a99a1898cc,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=7dd09ca6-f0d6-43bf-b7f8-ef348f435617,CN=Operations,CN=ForestUpdates,${CONFIGDN} +objectClass: top +objectClass: container + dn: CN=Windows2003Update,CN=ForestUpdates,${CONFIGDN} objectClass: top objectClass: container @@ -662,6 +814,8 @@ description: Quota specifications container msDS-TombstoneQuotaFactor: 100 systemFlags: -2147483648 +# Partitions + dn: CN=Partitions,${CONFIGDN} objectClass: top objectClass: crossRefContainer @@ -669,6 +823,8 @@ systemFlags: -2147483648 msDS-Behavior-Version: ${FOREST_FUNCTIONALALITY} showInAdvancedViewOnly: TRUE +# Partitions for DNS are missing since we don't support AD DNS + dn: CN=Enterprise Configuration,CN=Partitions,${CONFIGDN} objectClass: top objectClass: crossRef @@ -699,11 +855,91 @@ l: Physical Locations tree root # Schema located in "ad-schema/*.txt" +# Services + dn: CN=Services,${CONFIGDN} objectClass: top objectClass: container systemFlags: -2147483648 +dn: CN=MsmqServices,CN=Services,${CONFIGDN} +objectClass: top +objectClass: mSMQEnterpriseSettings +mSMQVersion: 200 + +dn: CN=NetServices,CN=Services,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=Public Key Services,CN=Services,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=Certificate Templates,CN=Public Key Services,CN=Services,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=Enrollment Services,CN=Public Key Services,CN=Services,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=Certification Authorities,CN=Public Key Services,CN=Services,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=AIA,CN=Public Key Services,CN=Services,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=CDP,CN=Public Key Services,CN=Services,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=KRA,CN=Public Key Services,CN=Services,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=OID,CN=Public Key Services,CN=Services,${CONFIGDN} +objectClass: top +objectClass: msPKI-Enterprise-Oid + +dn: CN=RRAS,CN=Services,${CONFIGDN} +objectClass: top +objectClass: container + +dn: CN=IdentityDictionary,CN=RRAS,CN=Services,${CONFIGDN} +objectClass: top +objectClass: rRASAdministrationDictionary +msRRASVendorAttributeEntry: 311:6:803:RADIUS Accouting +msRRASVendorAttributeEntry: 311:6:802:RADIUS Authentication +msRRASVendorAttributeEntry: 311:6:801:NT Domain Authentication +msRRASVendorAttributeEntry: 311:6:714:Point to point parallel connection +msRRASVendorAttributeEntry: 311:6:713:Point to point serial connection +msRRASVendorAttributeEntry: 311:6:712:Generic LAN +msRRASVendorAttributeEntry: 311:6:711:Generic WAN +msRRASVendorAttributeEntry: 311:6:710:X.25 +msRRASVendorAttributeEntry: 311:6:709:IrDA +msRRASVendorAttributeEntry: 311:6:708:Switched 56 +msRRASVendorAttributeEntry: 311:6:707:SONET +msRRASVendorAttributeEntry: 311:6:706:Modem +msRRASVendorAttributeEntry: 311:6:705:ISDN +msRRASVendorAttributeEntry: 311:6:704:ATM +msRRASVendorAttributeEntry: 311:6:703:Frame Relay +msRRASVendorAttributeEntry: 311:6:702:Layer 2 Tunneling Protocol +msRRASVendorAttributeEntry: 311:6:701:Point-to-Point Tunneling Protocol +msRRASVendorAttributeEntry: 311:6:604:Network Address and Port Translation +msRRASVendorAttributeEntry: 311:6:603:Demand Dial Router +msRRASVendorAttributeEntry: 311:6:602:Remote Access Server +msRRASVendorAttributeEntry: 311:6:601:LAN-to- LAN Router +msRRASVendorAttributeEntry: 311:6:503:AppleTalk Forwarding Enabled +msRRASVendorAttributeEntry: 311:6:502:IPX Forwarding Enabled +msRRASVendorAttributeEntry: 311:6:501:IP Forwarding Enabled +msRRASVendorAttributeEntry: 311:5:2:IPX SAP +msRRASVendorAttributeEntry: 311::5:1:IPX RIP +msRRASVendorAttributeEntry: 311:1:10:IGMP Only +msRRASVendorAttributeEntry: 311:0:13:OSPF +msRRASVendorAttributeEntry: 311:0:8:RIP (version 1 or 2) + dn: CN=Windows NT,CN=Services,${CONFIGDN} objectClass: top objectClass: container @@ -711,7 +947,9 @@ objectClass: container dn: CN=Directory Service,CN=Windows NT,CN=Services,${CONFIGDN} objectClass: top objectClass: nTDSService -sPNMappings: host=ldap,dns,cifs,http +msDS-Other-Settings: DisableVLVSupport=0 +msDS-Other-Settings: DynamicObjectMinTTL=900 +msDS-Other-Settings: DynamicObjectDefaultTTL=86400 dn: CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,${CONFIGDN} objectClass: top @@ -734,6 +972,8 @@ lDAPAdminLimits: MaxConnIdleTime=900 lDAPAdminLimits: InitRecvTimeout=120 lDAPAdminLimits: MaxConnections=5000 +# Sites + dn: CN=Sites,${CONFIGDN} objectClass: top objectClass: sitesContainer @@ -759,6 +999,7 @@ objectClass: top objectClass: interSiteTransport transportAddressAttribute: dNSHostName transportDLLName: ismip.dll +systemFlags: -2147483648 dn: CN=DEFAULTIPSITELINK,CN=IP,CN=Inter-Site Transports,CN=Sites,${CONFIGDN} objectClass: top @@ -785,3 +1026,7 @@ objectClass: top objectClass: serversContainer systemFlags: 33554432 +dn: CN=Subnets,CN=Sites,${CONFIGDN} +objectClass: top +objectClass: subnetContainer +systemFlags: -1073741824 diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif index c59c421b7f..639bc96040 100644 --- a/source4/setup/provision_self_join.ldif +++ b/source4/setup/provision_self_join.ldif @@ -1,41 +1,43 @@ -# Join the DC to itself +# Accounts for selfjoin (joins DC to itself) +# Object under "Domain Controllers" dn: CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN} objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer -userAccountControl: 532480 -localPolicyFlags: 0 -primaryGroupID: 516 accountExpires: 9223372036854775807 -sAMAccountName: ${NETBIOSNAME}$ +dNSHostName: ${DNSNAME} +# "frsComputerReferenceBL" doesn't exist since we still miss FRS support +isCriticalSystemObject: TRUE +localPolicyFlags: 0 operatingSystem: Samba operatingSystemVersion: ${SAMBA_VERSION_STRING} -dNSHostName: ${DNSNAME} -userPassword:: ${MACHINEPASS_B64} -servicePrincipalName: HOST/${DNSNAME} +primaryGroupID: 516 +# "rIDSetReferences" doesn't exist since we still miss distributed RIDs +sAMAccountName: ${NETBIOSNAME}$ +# "servicePrincipalName" for FRS doesn't exit since we still miss FRS support +# "servicePrincipalName"s for DNS ("ldap/../ForestDnsZones", +# "ldap/../DomainDnsZones", "DNS/..") don't exist since we don't support AD DNS +servicePrincipalName: GC/${DNSNAME}/${REALM} +servicePrincipalName: HOST/${DNSNAME}/${DOMAIN} servicePrincipalName: HOST/${NETBIOSNAME} +servicePrincipalName: HOST/${DNSNAME} servicePrincipalName: HOST/${DNSNAME}/${REALM} -servicePrincipalName: HOST/${NETBIOSNAME}/${REALM} -servicePrincipalName: HOST/${DNSNAME}/${DOMAIN} -servicePrincipalName: HOST/${NETBIOSNAME}/${DOMAIN} -isCriticalSystemObject: TRUE +# "servicePrincipalName"s with GUIDs are located in +# "provision_self_join_modify.ldif" +servicePrincipalName: ldap/${DNSNAME}/${DOMAIN} +servicePrincipalName: ldap/${NETBIOSNAME} +servicePrincipalName: ldap/${DNSNAME} +servicePrincipalName: ldap/${DNSNAME}/${REALM} +userAccountControl: 532480 +userPassword:: ${MACHINEPASS_B64} -#Provide a account for DNS keytab export -dn: CN=dns,CN=Users,${DOMAINDN} -objectClass: top -objectClass: person -objectClass: organizationalPerson -objectClass: user -description: DNS Service Account -userAccountControl: 514 -accountExpires: 9223372036854775807 -sAMAccountName: dns -servicePrincipalName: DNS/${DNSDOMAIN} -userPassword:: ${DNSPASS_B64} -isCriticalSystemObject: TRUE +# Here are missing the objects for the NTFRS subscription and the RID set since +# we don't support those techniques (FRS, distributed RIDs) yet. + +# Objects under "Configuration/Sites/<Default sitename>/Servers" dn: ${SERVERDN} objectClass: top @@ -48,14 +50,34 @@ dn: CN=NTDS Settings,${SERVERDN} objectClass: top objectClass: applicationSettings objectClass: nTDSDSA -options: 1 -systemFlags: 33554432 dMDLocation: ${SCHEMADN} +hasMasterNCs: ${CONFIGDN} +hasMasterNCs: ${SCHEMADN} +hasMasterNCs: ${DOMAINDN} invocationId: ${INVOCATIONID} msDS-Behavior-Version: ${DOMAIN_CONTROLLER_FUNCTIONALITY} +msDS-HasDomainNCs: ${DOMAINDN} +# "msDS-HasInstantiatedNCs"s for DNS don't exist since we don't support AD DNS +msDS-HasInstantiatedNCs: B:8:0000000D:${CONFIGDN} +msDS-HasInstantiatedNCs: B:8:0000000D:${SCHEMADN} +msDS-HasInstantiatedNCs: B:8:00000005:${DOMAINDN} +# "msDS-hasMasterNCs"s for DNS don't exist since we don't support AD DNS msDS-hasMasterNCs: ${CONFIGDN} msDS-hasMasterNCs: ${SCHEMADN} msDS-hasMasterNCs: ${DOMAINDN} -hasMasterNCs: ${CONFIGDN} -hasMasterNCs: ${SCHEMADN} -hasMasterNCs: ${DOMAINDN} +options: 1 +systemFlags: 33554432 + +# Provides an account for DNS keytab export +dn: CN=dns,CN=Users,${DOMAINDN} +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: user +description: DNS Service Account +userAccountControl: 514 +accountExpires: 9223372036854775807 +sAMAccountName: dns +servicePrincipalName: DNS/${DNSDOMAIN} +userPassword:: ${DNSPASS_B64} +isCriticalSystemObject: TRUE |