diff options
| author | Stefan Metzmacher <metze@samba.org> | 2012-12-11 03:15:26 +0100 |
|---|---|---|
| committer | Michael Adam <obnox@samba.org> | 2012-12-11 05:20:32 +0100 |
| commit | 8eb359c23c6379be1ccc32e27fd2316d77a7c7b3 (patch) | |
| tree | 91ecdea5e22e8f63338a732f6cc5965b32179423 | |
| parent | 19b03834f08c2a6645a31fe18121534c692c18d1 (diff) | |
| download | samba-8eb359c23c6379be1ccc32e27fd2316d77a7c7b3.tar.gz samba-8eb359c23c6379be1ccc32e27fd2316d77a7c7b3.tar.bz2 samba-8eb359c23c6379be1ccc32e27fd2316d77a7c7b3.zip | |
s4:provision: set the correct nTSecurityDescriptor on CN=Users,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
| -rw-r--r-- | source4/scripting/python/samba/provision/__init__.py | 6 | ||||
| -rw-r--r-- | source4/scripting/python/samba/provision/descriptor.py | 13 | ||||
| -rw-r--r-- | source4/setup/provision_users_add.ldif | 1 |
3 files changed, 19 insertions, 1 deletions
diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index 52dacdec32..c5a8b397ab 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -85,6 +85,7 @@ from samba.provision.descriptor import ( get_domain_infrastructure_descriptor, get_domain_builtin_descriptor, get_domain_computers_descriptor, + get_domain_users_descriptor, ) from samba.provision.common import ( setup_path, @@ -1286,8 +1287,11 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, samdb.add_ldif(display_specifiers_ldif) logger.info("Adding users container") + users_desc = b64encode(get_domain_users_descriptor(domainsid)) setup_add_ldif(samdb, setup_path("provision_users_add.ldif"), { - "DOMAINDN": names.domaindn}) + "DOMAINDN": names.domaindn, + "USERS_DESCRIPTOR": users_desc + }) logger.info("Modifying users container") setup_modify_ldif(samdb, setup_path("provision_users_modify.ldif"), { "DOMAINDN": names.domaindn}) diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py index 8d71969cfd..2a98168a5e 100644 --- a/source4/scripting/python/samba/provision/descriptor.py +++ b/source4/scripting/python/samba/provision/descriptor.py @@ -224,6 +224,19 @@ def get_domain_computers_descriptor(domain_sid): sec = security.descriptor.from_sddl(sddl, domain_sid) return ndr_pack(sec) +def get_domain_users_descriptor(domain_sid): + sddl = "D:" \ + "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ + "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \ + "(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)" \ + "(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)" \ + "(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)" \ + "(A;;RPLCLORC;;;AU)" \ + "(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)" \ + "S:" + sec = security.descriptor.from_sddl(sddl, domain_sid) + return ndr_pack(sec) + def get_dns_partition_descriptor(domainsid): sddl = "O:SYG:BAD:AI" \ "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ diff --git a/source4/setup/provision_users_add.ldif b/source4/setup/provision_users_add.ldif index db075d9c80..d5f76ed854 100644 --- a/source4/setup/provision_users_add.ldif +++ b/source4/setup/provision_users_add.ldif @@ -1,3 +1,4 @@ dn: CN=Users,${DOMAINDN} objectClass: top objectClass: container +nTSecurityDescriptor:: ${USERS_DESCRIPTOR} |