Merge branch 'master' of git://git.samba.org/samba

7 files changed, 152 insertions, 75 deletions

diff --git a/source4/scripting/bin/setup_dns.sh b/source4/scripting/bin/setup_dns.sh
index f20ad145c1..de4485fc07 100755
--- a/source4/scripting/bin/setup_dns.sh
+++ b/source4/scripting/bin/setup_dns.sh
@@ -16,7 +16,7 @@ RSUFFIX=$(echo $DOMAIN | sed s/[\.]/,DC=/g)
     PRIVATEDIR=$(bin/testparm --section-name=global --parameter-name='private dir' --suppress-prompt 2> /dev/null)
 }
 
-OBJECTGUID=$(bin/ldbsearch -H "$PRIVATEDIR/sam.ldb" -b "CN=NTDS Settings,CN=$HOSTNAME,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=$RSUFFIX" objectguid|grep ^objectGUID| cut -d: -f2)
+OBJECTGUID=$(bin/ldbsearch -s base -H "$PRIVATEDIR/sam.ldb" -b "CN=NTDS Settings,CN=$HOSTNAME,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=$RSUFFIX" objectguid|grep ^objectGUID| cut -d: -f2)
 
 echo "Found objectGUID $OBJECTGUID"
 
diff --git a/source4/scripting/bin/upgradeprovision b/source4/scripting/bin/upgradeprovision
index da827ace42..23980cd3da 100755
--- a/source4/scripting/bin/upgradeprovision
+++ b/source4/scripting/bin/upgradeprovision
@@ -66,8 +66,10 @@ GUESS = 	0x04
 PROVISION =	0x08
 CHANGEALL =	0xff
 
-# Attributes that not copied from the reference provision even if they do not exists in the destination object
-# This is most probably because they are populated automatcally when object is created
+# Attributes that are never copied from the reference provision (even if they
+# do not exist in the destination object).
+# This is most probably because they are populated automatcally when object is
+# created
 hashAttrNotCopied = { 	"dn": 1,"whenCreated": 1,"whenChanged": 1,"objectGUID": 1,"replPropertyMetaData": 1,"uSNChanged": 1,\
 						"uSNCreated": 1,"parentGUID": 1,"objectCategory": 1,"distinguishedName": 1,\
 						"showInAdvancedViewOnly": 1,"instanceType": 1, "cn": 1, "msDS-Behavior-Version":1, "nextRid":1,\
@@ -75,8 +77,9 @@ hashAttrNotCopied = { 	"dn": 1,"whenCreated": 1,"whenChanged": 1,"objectGUID": 1
 						"dBCSPwd":1,"supplementalCredentials":1,"gPCUserExtensionNames":1, "gPCMachineExtensionNames":1,\
 						"maxPwdAge":1, "mail":1, "secret":1,"possibleInferiors":1, "sAMAccountType":1}
 
-# Usually for an object that already exists we do not overwrite attributes as they might have been changed for good
-# reasons. Anyway for a few of thems it's mandatory to replace them otherwise the provision will be broken somehow.
+# Usually for an object that already exists we do not overwrite attributes as
+# they might have been changed for good reasons. Anyway for a few of them it's
+# mandatory to replace them otherwise the provision will be broken somehow.
 hashOverwrittenAtt = {	"prefixMap": replace, "systemMayContain": replace,"systemOnly":replace, "searchFlags":replace,\
 			"mayContain":replace,  "systemFlags":replace,"description":replace,
 			"oEMInformation":replace, "operatingSystemVersion":replace, "adminPropertyPages":replace,
@@ -167,11 +170,13 @@ def get_paths(targetdir=None,smbconf=None):
 
 	lp = param.LoadParm()
 	lp.load(smbconf)
-# Normaly we need the domain name for this function but for our needs it's pointless
+# Normally we need the domain name for this function but for our needs it's
+# pointless
 	paths = provision_paths_from_lp(lp,"foo")
 	return paths
 
-# This function guess(fetch) informations needed to make a fresh provision from the current provision
+# This function guesses (fetches) informations needed to make a fresh provision
+# from the current provision
 # It includes: realm, workgroup, partitions, netbiosname, domain guid, ...
 def guess_names_from_current_provision(credentials,session_info,paths):
 	lp = param.LoadParm()
@@ -191,11 +196,13 @@ def guess_names_from_current_provision(credentials,session_info,paths):
 	names.netbiosname = str(res[0]["sAMAccountName"]).replace("$","")
 
 	names.smbconf = smbconf
-	#It's important here to let ldb load with the old module or it's quite certain that the LDB won't load ...
+	# It's important here to let ldb load with the old module or it's quite
+	# certain that the LDB won't load ...
 	samdb = Ldb(paths.samdb, session_info=session_info,
 		    credentials=credentials, lp=lp, options=["modules:samba_dsdb"])
 
-	# That's a bit simplistic but it's ok as long as we have only 3 partitions
+	# That's a bit simplistic but it's ok as long as we have only 3
+	# partitions
 	attrs2 = ["defaultNamingContext", "schemaNamingContext","configurationNamingContext","rootDomainNamingContext"]
 	current = samdb.search(expression="(objectClass=*)",base="", scope=SCOPE_BASE, attrs=attrs2)
 
@@ -311,9 +318,10 @@ def newprovision(names,setup_dir,creds,session,smbconf):
 		ldap_dryrun_mode=None)
 	return provdir
 
-# This function sorts two dn in the lexicographical order and put higher level DN before
-# So given the dns cn=bar,cn=foo and cn=foo the later will be return as smaller (-1) as it has less
-# level
+# This function sorts two DNs in the lexicographical order and put higher level
+# DN before.
+# So given the dns cn=bar,cn=foo and cn=foo the later will be return as smaller
+# (-1) as it has less level
 def dn_sort(x,y):
 	p = re.compile(r'(?<!\\),')
 	tab1 = p.split(str(x))
@@ -343,7 +351,7 @@ def dn_sort(x,y):
 					return -1
 	return ret
 
-# check from security descriptors modifications return 1 if it is 0 otherwise
+# Check for security descriptors modifications return 1 if it is and 0 otherwise
 # it also populate hash structure for later use in the upgrade process
 def handle_security_desc(ischema,att,msgElt,hashallSD,old,new):
 	if ischema == 1 and att == "defaultSecurityDescriptor"  and msgElt.flags() == ldb.FLAG_MOD_REPLACE:
@@ -361,8 +369,8 @@ def handle_security_desc(ischema,att,msgElt,hashallSD,old,new):
 		return 1
 	return 0
 
-# Hangle special cases ... That's when we want to update an attribute only
-# if it has a certain value or if it's for a certain object or
+# Handle special cases ... That's when we want to update a particular attribute
+# only, e.g. if it has a certain value or if it's for a certain object or
 # a class of object.
 # It can be also if we want to do a merge of value instead of a simple replace
 def handle_special_case(att,delta,new,old,ischema):
@@ -431,7 +439,8 @@ def update_secrets(newpaths,paths,creds,session):
 	for i in range(0,len(reference)):
 		hash_new[str(reference[i]["dn"]).lower()] = reference[i]["dn"]
 
-	# Create a hash for speeding the search of existing object in the current provision
+	# Create a hash for speeding the search of existing object in the
+	# current provision
 	for i in range(0,len(current)):
 		hash[str(current[i]["dn"]).lower()] = current[i]["dn"]
 
@@ -486,9 +495,9 @@ def update_secrets(newpaths,paths,creds,session):
 
 
 # Check difference between the current provision and the reference provision.
-# It looks for all object which base DN is name if ischema is false then scan is done in
-# cross partition mode.
-# If ischema is true, then special handling is done for dealing with schema
+# It looks for all objects which base DN is name. If ischema is "false" then
+# the scan is done in cross partition mode.
+# If "ischema" is true, then special handling is done for dealing with schema
 def check_diff_name(newpaths,paths,creds,session,basedn,names,ischema):
 	hash_new = {}
 	hash = {}
@@ -497,7 +506,8 @@ def check_diff_name(newpaths,paths,creds,session,basedn,names,ischema):
 	listPresent = []
 	reference = []
 	current = []
-	# Connect to the reference provision and get all the attribute in the partition referred by name
+	# Connect to the reference provision and get all the attribute in the
+	# partition referred by name
 	newsam_ldb = Ldb(newpaths.samdb, session_info=session, credentials=creds,lp=lp)
 	sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp, options=["modules:samba_dsdb"])
 	sam_ldb.transaction_start()
@@ -513,7 +523,8 @@ def check_diff_name(newpaths,paths,creds,session,basedn,names,ischema):
 	for i in range(0,len(reference)):
 		hash_new[str(reference[i]["dn"]).lower()] = reference[i]["dn"]
 
-	# Create a hash for speeding the search of existing object in the current provision
+	# Create a hash for speeding the search of existing object in the
+	# current provision
 	for i in range(0,len(current)):
 		hash[str(current[i]["dn"]).lower()] = current[i]["dn"]
 
@@ -523,40 +534,78 @@ def check_diff_name(newpaths,paths,creds,session,basedn,names,ischema):
 		else:
 			listPresent.append(hash_new[k])
 
-	# Sort the missing object in order to have object of the lowest level first (which can be
-	# containers for higher level objects)
+	# Sort the missing object in order to have object of the lowest level
+	# first (which can be containers for higher level objects)
 	listMissing.sort(dn_sort)
 	listPresent.sort(dn_sort)
 
 	if ischema:
-		# The following lines (up to the for loop) is to load the up to date schema into our current LDB
-		# a complete schema is needed as the insertion of attributes and class is done against it
+		# The following lines (up to the for loop) is to load the up to
+		# date schema into our current LDB
+		# a complete schema is needed as the insertion of attributes
+		# and class is done against it
 		# and the schema is self validated
-		# The double ldb open and schema validation is taken from the initial provision script
+		# The double ldb open and schema validation is taken from the
+		# initial provision script
 		# it's not certain that it is really needed ....
 		sam_ldb = Ldb(session_info=session, credentials=creds, lp=lp)
 		schema = Schema(setup_path, names.domainsid, schemadn=basedn, serverdn=str(names.serverdn))
 		# Load the schema from the one we computed earlier
 		sam_ldb.set_schema_from_ldb(schema.ldb)
-		# And now we can connect to the DB - the schema won't be loaded from the DB
+		# And now we can connect to the DB - the schema won't be loaded
+		# from the DB
 		sam_ldb.connect(paths.samdb)
 	else:
 		sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp, options=["modules:samba_dsdb"])
 
 	sam_ldb.transaction_start()
 
-	empty = ldb.Message()
-	message(SIMPLE,"There are %d missing objects"%(len(listMissing)))
-	for dn in listMissing:
-		reference = newsam_ldb.search(expression="dn=%s"%(str(dn)),base=basedn, scope=SCOPE_SUBTREE,controls=["search_options:1:2"])
-		delta = sam_ldb.msg_diff(empty,reference[0])
-		for att in hashAttrNotCopied.keys():
-			delta.remove(att)
-		for att in backlinked:
-			delta.remove(att)
-		delta.dn = dn
+	err_num = 0
+	err_msg = ""
+	while len(listMissing) > 0:
+		listMissing2 = []
+
+		empty = ldb.Message()
+		message(SIMPLE,"There are still %d objects missing"%(len(listMissing)))
 
-		sam_ldb.add(delta,["relax:0"])
+		for dn in listMissing:
+			reference = newsam_ldb.search(expression="dn=%s" % (str(dn)),
+						      base=basedn, scope=SCOPE_SUBTREE,
+						      controls=["search_options:1:2"])
+			delta = sam_ldb.msg_diff(empty,reference[0])
+			for att in hashAttrNotCopied.keys():
+				delta.remove(att)
+			for att in backlinked:
+				delta.remove(att)
+			delta.dn = dn
+
+			try:
+				sam_ldb.add(delta,["relax:0"])
+				# This is needed here since otherwise the
+				# "replmd_meta_data" module doesn't see the
+				# updated data
+				sam_ldb.transaction_commit()
+				sam_ldb.transaction_start()
+			except LdbError, (num, msg):
+				# An exception can happen if a linked object
+				# doesn't exist which can happen if it is also
+				# to be added
+				err_num = num
+				err_msg = msg
+				listMissing2.append(dn)
+
+		if len(listMissing2) == len(listMissing):
+			# We couldn't add any object in this iteration ->
+			# we have to resign and hope that the user manually
+			# fixes the damage
+
+			message(ERROR, "The script isn't capable to do the upgrade fully automatically!")
+			message(ERROR, "Often this happens when important system objects moved their location. Please look for them (for example doable using the displayed 'sAMAccountName' attribute), backup if personally changed and remove them.")
+			message(ERROR, "Reinvoke this script and reapply eventual modifications done before. It is possible to get this error more than once (for each problematic object).")
+
+			raise LdbError(err_num, err_msg)
+
+		listMissing = listMissing2
 
 	changed = 0
 	for dn in listPresent:
@@ -626,7 +675,8 @@ def check_updated_sd(newpaths,paths,creds,session,names):
 				print "%s new sddl/sddl in ref"%key
 				print "%s\n%s"%(sddl,hash_new[key])
 
-# Simple update method for updating the SD that rely on the fact that nobody should have modified the SD
+# Simple update method for updating the SD that rely on the fact that nobody
+# should have modified the SD
 # This assumption is safe right now (alpha9) but should be removed asap
 def update_sd(paths,creds,session,names):
 	sam_ldb = Ldb(paths.samdb, session_info=session, credentials=creds,lp=lp,options=["modules:samba_dsdb"])
@@ -748,7 +798,7 @@ def update_machine_account_password(paths,creds,session,names):
 
 		secretsdb_self_join(secrets_ldb, domain=names.domain,
 				    realm=names.realm,
-					domainsid=names.domainsid,
+				    domainsid=names.domainsid,
 				    dnsdomain=names.dnsdomain,
 				    netbiosname=names.netbiosname,
 				    machinepass=machinepass,
diff --git a/source4/scripting/devel/tmpfs.sh b/source4/scripting/devel/tmpfs.sh
new file mode 100755
index 0000000000..5604f68dd7
--- /dev/null
+++ b/source4/scripting/devel/tmpfs.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# This sets up bin/ and st/ as tmpfs filesystems, which saves a lot of
+# time waiting on the disk!
+
+rm -rf bin st
+mkdir -p bin st || exit 1
+sudo mount -t tmpfs /dev/null bin || exit 1
+sudo chown $USER bin || exit 1
+echo "tmpfs setup for bin/"
+sudo mount -t tmpfs /dev/null st || exit 1
+sudo chown $USER st || exit 1
+echo "tmpfs setup for st/"
diff --git a/source4/scripting/python/samba/__init__.py b/source4/scripting/python/samba/__init__.py
index 5d61c1bd8c..d7df6b979b 100644
--- a/source4/scripting/python/samba/__init__.py
+++ b/source4/scripting/python/samba/__init__.py
@@ -255,7 +255,10 @@ class Ldb(ldb.Ldb):
         :param ldif: LDIF text.
         """
         for changetype, msg in self.parse_ldif(ldif):
-            self.modify(msg, controls)
+            if (changetype == ldb.CHANGETYPE_ADD):
+                self.add(msg, controls)
+            else:
+                self.modify(msg, controls)
 
     def set_domain_sid(self, sid):
         """Change the domain SID used by this LDB.
diff --git a/source4/scripting/python/samba/ms_schema.py b/source4/scripting/python/samba/ms_schema.py
index a4eed581c6..9f5ebcf8cc 100644
--- a/source4/scripting/python/samba/ms_schema.py
+++ b/source4/scripting/python/samba/ms_schema.py
@@ -229,6 +229,8 @@ def __transform_entry(entry, objectClass):
     entry.insert(1, ["objectClass", ["top", objectClass]])
     entry.insert(2, ["cn", cn])
     entry.insert(2, ["objectGUID", str(uuid.uuid4())])
+    entry.insert(2, ["adminDescription", cn])
+    entry.insert(2, ["adminDisplayName", cn])
     
     for l in entry:
         key = l[0].lower()
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index d7d0a790ca..a71b561a86 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -793,9 +793,9 @@ def setup_self_join(samdb, names,
               "DEFAULTSITE": names.sitename,
               "DNSNAME": "%s.%s" % (names.hostname, names.dnsdomain),
               "MACHINEPASS_B64": b64encode(machinepass),
-              "DNSPASS_B64": b64encode(dnspass),
               "REALM": names.realm,
               "DOMAIN": names.domain,
+              "DOMAINSID": str(domainsid),
               "DNSDOMAIN": names.dnsdomain,
               "SAMBA_VERSION_STRING": version,
               "NTDSGUID": ntdsguid_line,
@@ -824,7 +824,8 @@ def setup_self_join(samdb, names,
               "DEFAULTSITE": names.sitename,
               "SERVERDN": names.serverdn,
               "NETBIOSNAME": names.netbiosname,
-              "NTDSGUID": names.ntdsguid
+              "NTDSGUID": names.ntdsguid,
+              "DNSPASS_B64": b64encode(dnspass),
               })
 
 
@@ -892,10 +893,7 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp,
         samdb.set_opaque_integer("domainControllerFunctionality", domainControllerFunctionality)
 
         samdb.set_domain_sid(str(domainsid))
-        if serverrole == "domain controller":
-            samdb.set_invocation_id(invocationid)
-        # NOTE: the invocationid for standalone and member server
-        # cases is setup in the sambd_dsdb module init function
+        samdb.set_invocation_id(invocationid)
 
         message("Adding DomainDN: %s" % names.domaindn)
 
@@ -945,6 +943,14 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp,
         setup_add_ldif(samdb, setup_path("aggregate_schema.ldif"), 
                        {"SCHEMADN": names.schemadn})
 
+        message("Reopening sam.ldb with new schema");
+        samdb.transaction_commit()
+        samdb = Ldb(session_info=session_info,
+                    credentials=provision_backend.credentials, lp=lp)
+        samdb.connect(path)
+        samdb.transaction_start()
+        samdb.set_invocation_id(invocationid)
+
         message("Setting up sam.ldb configuration data")
         setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), {
             "CONFIGDN": names.configdn,
@@ -1003,21 +1009,20 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp,
                 "KRBTGTPASS_B64": b64encode(krbtgtpass),
                 })
 
-            if serverrole == "domain controller":
-                message("Setting up self join")
-                setup_self_join(samdb, names=names, invocationid=invocationid, 
-                                dnspass=dnspass,  
-                                machinepass=machinepass, 
-                                domainsid=domainsid, policyguid=policyguid,
-                                policyguid_dc=policyguid_dc,
-                                setup_path=setup_path,
-                                domainControllerFunctionality=domainControllerFunctionality,
-                                ntdsguid=ntdsguid)
-
-                ntds_dn = "CN=NTDS Settings,CN=%s,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,%s" % (names.hostname, names.domaindn)
-                names.ntdsguid = samdb.searchone(basedn=ntds_dn,
-                  attribute="objectGUID", expression="", scope=SCOPE_BASE)
-                assert isinstance(names.ntdsguid, str)
+            message("Setting up self join")
+            setup_self_join(samdb, names=names, invocationid=invocationid,
+                            dnspass=dnspass,
+                            machinepass=machinepass,
+                            domainsid=domainsid, policyguid=policyguid,
+                            policyguid_dc=policyguid_dc,
+                            setup_path=setup_path,
+                            domainControllerFunctionality=domainControllerFunctionality,
+                            ntdsguid=ntdsguid)
+
+            ntds_dn = "CN=NTDS Settings,CN=%s,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,%s" % (names.hostname, names.domaindn)
+            names.ntdsguid = samdb.searchone(basedn=ntds_dn,
+                                             attribute="objectGUID", expression="", scope=SCOPE_BASE)
+            assert isinstance(names.ntdsguid, str)
 
     except:
         samdb.transaction_cancel()
@@ -1136,7 +1141,7 @@ def provision(setup_dir, message, session_info,
         serverrole = lp.get("server role")
 
     assert serverrole in ("domain controller", "member server", "standalone")
-    if invocationid is None and serverrole == "domain controller":
+    if invocationid is None:
         invocationid = str(uuid.uuid4())
 
     if not os.path.exists(paths.private_dir):
diff --git a/source4/scripting/python/samba/schema.py b/source4/scripting/python/samba/schema.py
index 8913e53b00..f702e9829f 100644
--- a/source4/scripting/python/samba/schema.py
+++ b/source4/scripting/python/samba/schema.py
@@ -35,16 +35,20 @@ from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE
 import os
 
 def get_schema_descriptor(domain_sid):
-    sddl = "O:SAG:SAD:(A;CI;RPLCLORC;;;AU)(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)" \
-           "(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
-           "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
-           "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \
-           "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
-           "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \
-           "S:(AU;SA;WPCCDCWOWDSDDTSW;;;WD)" \
-           "(AU;CISA;WP;;;WD)(AU;SA;CR;;;BA)" \
-           "(AU;SA;CR;;;DU)(OU;SA;CR;e12b56b6-0a95-11d1-adbb-00c04fd8d5cd;;WD)" \
-           "(OU;SA;CR;45ec5156-db7e-47bb-b53f-dbeb2d03c40f;;WD)"
+    sddl = "O:SAG:SAD:AI(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c" \
+           ";;ER)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)(OA;;CR;1131f6ad-9c07-1" \
+           "1d1-f79f-00c04fc2dcd2;;ER)(OA;;CR;e12b56b6-0a95-11d1-adbb-00c04fd8d5cd;;SA)(O" \
+           "A;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79" \
+           "f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1" \
+           "131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04" \
+           "fc2dcd2;;BA)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;1131f6aa" \
+           "-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2" \
+           ";;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ad-9c07-1" \
+           "1d1-f79f-00c04fc2dcd2;;ED)(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;LA)(A;CI;RPWPCRCCLCL" \
+           "ORCWOWDSW;;;SA)(A;CI;RPLCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:(O" \
+           "U;SA;CR;45ec5156-db7e-47bb-b53f-dbeb2d03c40f;;WD)(OU;SA;CR;e12b56b6-0a95-11d1" \
+           "-adbb-00c04fd8d5cd;;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPCCDCWOWDSDDTSW;" \
+           ";;WD)(AU;CISA;WP;;;WD)"
     sec = security.descriptor.from_sddl(sddl, domain_sid)
     return ndr_pack(sec)
 
@@ -64,8 +68,8 @@ class Schema(object):
 
         self.schemadn = schemadn
         self.ldb = Ldb()
-        self.schema_data = read_ms_schema(setup_path('ad-schema/MS-AD_Schema_2K8_Attributes.txt'),
-                                          setup_path('ad-schema/MS-AD_Schema_2K8_Classes.txt'))
+        self.schema_data = read_ms_schema(setup_path('ad-schema/MS-AD_Schema_2K8_R2_Attributes.txt'),
+                                          setup_path('ad-schema/MS-AD_Schema_2K8_R2_Classes.txt'))
 
         if files is not None:
             for file in files: