summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthias Dieter Wallnöfer <mwallnoefer@yahoo.de>2009-09-06 19:57:50 +0200
committerMatthias Dieter Wallnöfer <mwallnoefer@yahoo.de>2009-09-07 08:37:25 +0200
commit90d6829f8a6dcb9d4851ad587d75680de6815041 (patch)
tree2a36d1fe079d79bd080a72c91efc330c989b0f9d
parent5107f6fd0acc7d8e5a69bd838f44f74f0a094290 (diff)
downloadsamba-90d6829f8a6dcb9d4851ad587d75680de6815041.tar.gz
samba-90d6829f8a6dcb9d4851ad587d75680de6815041.tar.bz2
samba-90d6829f8a6dcb9d4851ad587d75680de6815041.zip
s4:Foreign security principals - Fix them up
I fixed them up to match with Windows Server 2003. I don't think that the creation of them in the provision script is needed so I put them in the "provision_users.ldif" file.
-rw-r--r--source4/scripting/python/samba/provision.py19
-rw-r--r--source4/setup/provision.ldif2
-rw-r--r--source4/setup/provision_users.ldif29
3 files changed, 31 insertions, 19 deletions
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index 1fb78ab78e..6056350ab9 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -503,25 +503,6 @@ def setup_name_mappings(samdb, idmap, sid, domaindn, root_uid, nobody_uid,
:param users_gid: gid of the UNIX users group.
:param wheel_gid: gid of the UNIX wheel group."""
- def add_foreign(self, domaindn, sid, desc):
- """Add a foreign security principle."""
- add = """
-dn: CN=%s,CN=ForeignSecurityPrincipals,%s
-objectClass: top
-objectClass: foreignSecurityPrincipal
-description: %s
-""" % (sid, domaindn, desc)
- # deliberately ignore errors from this, as the records may
- # already exist
- for msg in self.parse_ldif(add):
- self.add(msg[1])
-
- add_foreign(samdb, domaindn, "S-1-5-7", "Anonymous")
- add_foreign(samdb, domaindn, "S-1-1-0", "World")
- add_foreign(samdb, domaindn, "S-1-5-2", "Network")
- add_foreign(samdb, domaindn, "S-1-5-18", "System")
- add_foreign(samdb, domaindn, "S-1-5-11", "Authenticated Users")
-
idmap.setup_name_mapping("S-1-5-7", idmap.TYPE_UID, nobody_uid)
idmap.setup_name_mapping("S-1-5-32-544", idmap.TYPE_GID, wheel_gid)
diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif
index 4622112336..bd224ee60d 100644
--- a/source4/setup/provision.ldif
+++ b/source4/setup/provision.ldif
@@ -45,6 +45,8 @@ systemFlags: -1946157056
isCriticalSystemObject: TRUE
showInAdvancedViewOnly: FALSE
+# Foreign security principals located in "provision_users.ldif"
+
dn: CN=Infrastructure,${DOMAINDN}
objectClass: top
objectClass: infrastructureUpdate
diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif
index 8669d8a4e6..bc5616ba5b 100644
--- a/source4/setup/provision_users.ldif
+++ b/source4/setup/provision_users.ldif
@@ -176,6 +176,30 @@ sAMAccountName: Event Log Readers
groupType: -2147483644
isCriticalSystemObject: TRUE
+# Add foreign security principals
+
+dn: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-4
+
+dn: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-9
+
+dn: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-11
+
+dn: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-20
+
+# Add builtin objects
+
dn: CN=Administrators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
@@ -219,6 +243,8 @@ objectClass: top
objectClass: group
description: Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications
member: CN=Domain Users,CN=Users,${DOMAINDN}
+member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
+member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectSid: S-1-5-32-545
sAMAccountName: Users
systemFlags: -1946157056
@@ -311,6 +337,7 @@ dn: CN=Performance Log Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Members of this group have remote access to schedule logging of performance counters on this computer
+member: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectSid: S-1-5-32-559
sAMAccountName: Performance Log Users
systemFlags: -1946157056
@@ -350,6 +377,7 @@ dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: A backward compatibility group which allows read access on all users and groups in the domain
+member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectSid: S-1-5-32-554
sAMAccountName: Pre-Windows 2000 Compatible Access
systemFlags: -1946157056
@@ -372,6 +400,7 @@ dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
+member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectSid: S-1-5-32-560
sAMAccountName: Windows Authorization Access Group
systemFlags: -1946157056