r8790: Finish the migration of aliases and privilages with SamSync, by adding

templating support for foreignSecurityPrincipals to the samdb module. This is an extension beyond what microsoft does, and has been very useful :-) The setup scripts have been modified to use the new template, as has the SAMR and LSA code. Other cleanups in LSA remove the assumption that the short domain name is the first component of the realm. Also add a lot of useful debug messages, to make it clear how/why the SamSync may have gone wrong. Many of these should perhaps be hooked into an error string. Andrew Bartlett (This used to be commit 1f071b0609c5c83024db1d4a7d04334a932b8253)
author: Andrew Bartlett <abartlet@samba.org> 2005-07-27 00:23:09 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 13:30:05 -0500
commit: 66b2a04346a568e6564b9cb21a89cf887cad3d03 (patch)
tree: f87081c370373939889c695fb0da0be0746bff69 /source4/setup/provision_users.ldif
parent: 40119dcb1d72795513bdad4018eff19fdc4a203d (diff)
download: samba-66b2a04346a568e6564b9cb21a89cf887cad3d03.tar.gz
samba-66b2a04346a568e6564b9cb21a89cf887cad3d03.tar.bz2
samba-66b2a04346a568e6564b9cb21a89cf887cad3d03.zip
1 files changed, 459 insertions, 0 deletions
diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif
new file mode 100644
index 0000000000..2e420b226a
--- /dev/null
+++ b/source4/setup/provision_users.ldif
@@ -0,0 +1,459 @@
+dn: CN=Administrator,CN=Users,${BASEDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+cn: Administrator
+description: Built-in account for administering the computer/domain
+uSNCreated: 1
+memberOf: CN=Group Policy Creator Owners,CN=Users,${BASEDN}
+memberOf: CN=Domain Admins,CN=Users,${BASEDN}
+memberOf: CN=Enterprise Admins,CN=Users,${BASEDN}
+memberOf: CN=Schema Admins,CN=Users,${BASEDN}
+memberOf: CN=Administrators,CN=Builtin,${BASEDN}
+uSNChanged: 1
+userAccountControl: 0x10200
+objectSid: ${DOMAINSID}-500
+adminCount: 1
+accountExpires: -1
+sAMAccountName: Administrator
+isCriticalSystemObject: TRUE
+unicodePwd: ${ADMINPASS}
+unixName: ${ROOT}
+
+dn: CN=Guest,CN=Users,${BASEDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+cn: Guest
+description: Built-in account for guest access to the computer/domain
+uSNCreated: 1
+memberOf: CN=Guests,CN=Builtin,${BASEDN}
+uSNChanged: 1
+userAccountControl: 0x10222
+primaryGroupID: 514
+objectSid: ${DOMAINSID}-501
+sAMAccountName: Guest
+isCriticalSystemObject: TRUE
+
+dn: CN=Administrators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Administrators
+description: Administrators have complete and unrestricted access to the computer/domain
+member: CN=Domain Admins,CN=Users,${BASEDN}
+member: CN=Enterprise Admins,CN=Users,${BASEDN}
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-544
+adminCount: 1
+sAMAccountName: Administrators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+privilege: SeSecurityPrivilege
+privilege: SeBackupPrivilege
+privilege: SeRestorePrivilege
+privilege: SeSystemtimePrivilege
+privilege: SeShutdownPrivilege
+privilege: SeRemoteShutdownPrivilege
+privilege: SeTakeOwnershipPrivilege
+privilege: SeDebugPrivilege
+privilege: SeSystemEnvironmentPrivilege
+privilege: SeSystemProfilePrivilege
+privilege: SeProfileSingleProcessPrivilege
+privilege: SeIncreaseBasePriorityPrivilege
+privilege: SeLoadDriverPrivilege
+privilege: SeCreatePagefilePrivilege
+privilege: SeIncreaseQuotaPrivilege
+privilege: SeChangeNotifyPrivilege
+privilege: SeUndockPrivilege
+privilege: SeManageVolumePrivilege
+privilege: SeImpersonatePrivilege
+privilege: SeCreateGlobalPrivilege
+privilege: SeEnableDelegationPrivilege
+privilege: SeInteractiveLogonRight
+privilege: SeNetworkLogonRight
+privilege: SeRemoteInteractiveLogonRight
+
+
+dn: CN=${NETBIOSNAME},OU=Domain Controllers,${BASEDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: computer
+cn: ${NETBIOSNAME}
+uSNCreated: 1
+uSNChanged: 1
+objectGUID: ${HOSTGUID}
+userAccountControl: 532480
+lastLogon: 127273269057298624
+localPolicyFlags: 0
+pwdLastSet: 127258826171655328
+primaryGroupID: 516
+objectSid: ${DOMAINSID}-1000
+accountExpires: 9223372036854775807
+sAMAccountName: ${NETBIOSNAME}$
+sAMAccountType: 805306369
+operatingSystem: Samba
+operatingSystemVersion: 4.0
+dNSHostName: ${DNSNAME}
+isCriticalSystemObject: TRUE
+unicodePwd: ${MACHINEPASS}
+servicePrincipalName: HOST/${DNSNAME}
+servicePrincipalName: HOST/${NETBIOSNAME}
+msDS-KeyVersionNumber: 1
+
+
+dn: CN=Users,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Users
+description: Users are prevented from making accidental or intentional system-wide changes.  Thus, Users can run certified applications, but not most legacy applications
+member: CN=Domain Users,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-545
+sAMAccountName: Users
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Guests,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Guests
+description: Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
+member: CN=Domain Guests,CN=Users,${BASEDN}
+member: CN=Guest,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-546
+sAMAccountName: Guests
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+unixName: ${NOGROUP}
+
+dn: CN=Print Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Print Operators
+description: Members can administer domain printers
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-550
+adminCount: 1
+sAMAccountName: Print Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+privilege: SeLoadDriverPrivilege
+privilege: SeShutdownPrivilege
+privilege: SeInteractiveLogonRight
+
+dn: CN=Backup Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Backup Operators
+description: Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-551
+adminCount: 1
+sAMAccountName: Backup Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+privilege: SeBackupPrivilege
+privilege: SeRestorePrivilege
+privilege: SeShutdownPrivilege
+privilege: SeInteractiveLogonRight
+
+dn: CN=Replicator,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Replicator
+description: Supports file replication in a domain
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-552
+adminCount: 1
+sAMAccountName: Replicator
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Remote Desktop Users,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Remote Desktop Users
+description: Members in this group are granted the right to logon remotely
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-555
+sAMAccountName: Remote Desktop Users
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Network Configuration Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Network Configuration Operators
+description: Members in this group can have some administrative privileges to manage configuration of networking features
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-556
+sAMAccountName: Network Configuration Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Performance Monitor Users,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Performance Monitor Users
+description: Members of this group have remote access to monitor this computer
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-558
+sAMAccountName: Performance Monitor Users
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Performance Log Users,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Performance Log Users
+description: Members of this group have remote access to schedule logging of performance counters on this computer
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-559
+sAMAccountName: Performance Log Users
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=krbtgt,CN=Users,${BASEDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+cn: krbtgt
+description: Key Distribution Center Service Account
+uSNCreated: 1
+uSNChanged: 1
+showInAdvancedViewOnly: TRUE
+userAccountControl: 514
+pwdLastSet: 127258826179466560
+objectSid: ${DOMAINSID}-502
+adminCount: 1
+accountExpires: 9223372036854775807
+sAMAccountName: krbtgt
+sAMAccountType: 805306368
+servicePrincipalName: kadmin/changepw
+isCriticalSystemObject: TRUE
+unicodePwd: ${KRBTGTPASS}
+
+dn: CN=Domain Computers,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Computers
+description: All workstations and servers joined to the domain
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-515
+sAMAccountName: Domain Computers
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Domain Controllers,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Controllers
+description: All domain controllers in the domain
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-516
+adminCount: 1
+sAMAccountName: Domain Controllers
+isCriticalSystemObject: TRUE
+
+dn: CN=Schema Admins,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Schema Admins
+description: Designated administrators of the schema
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-518
+adminCount: 1
+sAMAccountName: Schema Admins
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+
+dn: CN=Enterprise Admins,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Enterprise Admins
+description: Designated administrators of the enterprise
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+memberOf: CN=Administrators,CN=Builtin,${BASEDN}
+uSNChanged: 1
+objectSid: ${DOMAINSID}-519
+adminCount: 1
+sAMAccountName: Enterprise Admins
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+
+dn: CN=Cert Publishers,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Cert Publishers
+description: Members of this group are permitted to publish certificates to the Active Directory
+uSNCreated: 1
+uSNChanged: 1
+groupType: 0x80000004
+sAMAccountType: 0x20000000
+objectSid: ${DOMAINSID}-517
+sAMAccountName: Cert Publishers
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Domain Admins,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Admins
+description: Designated administrators of the domain
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+memberOf: CN=Administrators,CN=Builtin,${BASEDN}
+uSNChanged: 1
+objectSid: ${DOMAINSID}-512
+adminCount: 1
+sAMAccountName: Domain Admins
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+
+dn: CN=Domain Users,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Users
+description: All domain users
+uSNCreated: 1
+memberOf: CN=Users,CN=Builtin,${BASEDN}
+uSNChanged: 1
+objectSid: ${DOMAINSID}-513
+sAMAccountName: Domain Users
+isCriticalSystemObject: TRUE
+unixName: ${USERS}
+
+dn: CN=Domain Guests,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Guests
+description: All domain guests
+uSNCreated: 1
+memberOf: CN=Guests,CN=Builtin,${BASEDN}
+uSNChanged: 1
+objectSid: ${DOMAINSID}-514
+sAMAccountName: Domain Guests
+isCriticalSystemObject: TRUE
+
+dn: CN=Group Policy Creator Owners,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Group Policy Creator Owners
+description: Members in this group can modify group policy for the domain
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-520
+sAMAccountName: Group Policy Creator Owners
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+
+dn: CN=RAS and IAS Servers,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: RAS and IAS Servers
+description: Servers in this group can access remote access properties of users
+instanceType: 4
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-553
+sAMAccountName: RAS and IAS Servers
+sAMAccountType: 0x20000000
+groupType: 0x80000004
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Server Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Server Operators
+description: Members can administer domain servers
+instanceType: 4
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-549
+adminCount: 1
+sAMAccountName: Server Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+privilege: SeBackupPrivilege
+privilege: SeSystemtimePrivilege
+privilege: SeRemoteShutdownPrivilege
+privilege: SeRestorePrivilege
+privilege: SeShutdownPrivilege
+privilege: SeInteractiveLogonRight
+
+dn: CN=Account Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Account Operators
+description: Members can administer domain user and group accounts
+instanceType: 4
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-548
+adminCount: 1
+sAMAccountName: Account Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+privilege: SeInteractiveLogonRight
+
author	Andrew Bartlett <abartlet@samba.org>	2005-07-27 00:23:09 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 13:30:05 -0500
commit	66b2a04346a568e6564b9cb21a89cf887cad3d03 (patch)
tree	f87081c370373939889c695fb0da0be0746bff69 /source4/setup/provision_users.ldif
parent	40119dcb1d72795513bdad4018eff19fdc4a203d (diff)
download	samba-66b2a04346a568e6564b9cb21a89cf887cad3d03.tar.gz samba-66b2a04346a568e6564b9cb21a89cf887cad3d03.tar.bz2 samba-66b2a04346a568e6564b9cb21a89cf887cad3d03.zip