diff options
author | Stefan Metzmacher <metze@samba.org> | 2013-01-23 16:27:17 +0100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2013-01-27 20:14:21 +1100 |
commit | 5cf98823cc804906833f7ea763f99de0147b0fee (patch) | |
tree | 7fe5ade5b05fbda6e36c299391787d98af918460 /source4 | |
parent | a477649e568577875be577c70a6b25cbeea6985a (diff) | |
download | samba-5cf98823cc804906833f7ea763f99de0147b0fee.tar.gz samba-5cf98823cc804906833f7ea763f99de0147b0fee.tar.bz2 samba-5cf98823cc804906833f7ea763f99de0147b0fee.zip |
provision: fix nTSecurityDescriptor of containers in the DnsZones (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4')
-rw-r--r-- | source4/scripting/python/samba/provision/sambadns.py | 30 | ||||
-rw-r--r-- | source4/setup/provision_dnszones_add.ldif | 4 |
2 files changed, 23 insertions, 11 deletions
diff --git a/source4/scripting/python/samba/provision/sambadns.py b/source4/scripting/python/samba/provision/sambadns.py index a66fde1425..740dd38417 100644 --- a/source4/scripting/python/samba/provision/sambadns.py +++ b/source4/scripting/python/samba/provision/sambadns.py @@ -37,7 +37,11 @@ from samba.dsdb import ( ) from samba.provision.descriptor import ( get_domain_descriptor, - get_dns_partition_descriptor + get_domain_delete_protected1_descriptor, + get_domain_delete_protected2_descriptor, + get_dns_partition_descriptor, + get_dns_forest_microsoft_dns_descriptor, + get_dns_domain_microsoft_dns_descriptor ) from samba.provision.common import ( setup_path, @@ -244,6 +248,8 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn, domainzone_dns = ldb.Dn(samdb, domainzone_dn).canonical_ex_str().strip() forestzone_dns = ldb.Dn(samdb, forestzone_dn).canonical_ex_str().strip() + protected1_desc = get_domain_delete_protected1_descriptor(domainsid) + protected2_desc = get_domain_delete_protected2_descriptor(domainsid) setup_add_ldif(samdb, setup_path("provision_dnszones_add.ldif"), { "DOMAINZONE_DN": domainzone_dn, "FORESTZONE_DN": forestzone_dn, @@ -253,6 +259,8 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn, "FORESTZONE_DNS": forestzone_dns, "CONFIGDN": configdn, "SERVERDN": serverdn, + "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc), + "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc), }) setup_modify_ldif(samdb, setup_path("provision_dnszones_modify.ldif"), { @@ -269,18 +277,18 @@ def add_dns_accounts(samdb, domaindn): }) -def add_dns_container(samdb, domaindn, prefix, domainsid, dnsadmins_sid): +def add_dns_container(samdb, domaindn, prefix, domain_sid, dnsadmins_sid, forest=False): + name_map = {'DnsAdmins': str(dnsadmins_sid)} + if forest is True: + sd_val = get_dns_forest_microsoft_dns_descriptor(domain_sid, + name_map=name_map) + else: + sd_val = get_dns_domain_microsoft_dns_descriptor(domain_sid, + name_map=name_map) # CN=MicrosoftDNS,<PREFIX>,<DOMAINDN> - sddl = "O:SYG:SYD:AI" \ - "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" \ - "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;%s)" \ - "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ - "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)" \ - "S:AI" % dnsadmins_sid - sec = security.descriptor.from_sddl(sddl, domainsid) msg = ldb.Message(ldb.Dn(samdb, "CN=MicrosoftDNS,%s,%s" % (prefix, domaindn))) msg["objectClass"] = ["top", "container"] - msg["nTSecurityDescriptor"] = ldb.MessageElement(ndr_pack(sec), ldb.FLAG_MOD_ADD, + msg["nTSecurityDescriptor"] = ldb.MessageElement(sd_val, ldb.FLAG_MOD_ADD, "nTSecurityDescriptor") samdb.add(msg) @@ -942,7 +950,7 @@ def create_dns_partitions(samdb, domainsid, names, domaindn, forestdn, add_dns_container(samdb, domaindn, "DC=DomainDnsZones", domainsid, dnsadmins_sid) add_dns_container(samdb, forestdn, "DC=ForestDnsZones", domainsid, - dnsadmins_sid) + dnsadmins_sid, forest=True) def fill_dns_data_partitions(samdb, domainsid, site, domaindn, forestdn, diff --git a/source4/setup/provision_dnszones_add.ldif b/source4/setup/provision_dnszones_add.ldif index bd97bb9aac..bf872f0b64 100644 --- a/source4/setup/provision_dnszones_add.ldif +++ b/source4/setup/provision_dnszones_add.ldif @@ -14,12 +14,14 @@ objectClass: top objectClass: lostAndFound isCriticalSystemObject: TRUE systemFlags: -1946157056 +nTSecurityDescriptor:: ${LOSTANDFOUND_DESCRIPTOR} dn: CN=Infrastructure,${DOMAINZONE_DN} objectClass: top objectClass: infrastructureUpdate isCriticalSystemObject: TRUE systemFlags: -1946157056 +nTSecurityDescriptor:: ${INFRASTRUCTURE_DESCRIPTOR} dn: CN=NTDS Quotas,${DOMAINZONE_DN} objectClass: top @@ -41,12 +43,14 @@ objectClass: top objectClass: lostAndFound isCriticalSystemObject: TRUE systemFlags: -1946157056 +nTSecurityDescriptor:: ${LOSTANDFOUND_DESCRIPTOR} dn: CN=Infrastructure,${FORESTZONE_DN} objectClass: top objectClass: infrastructureUpdate isCriticalSystemObject: TRUE systemFlags: -1946157056 +nTSecurityDescriptor:: ${INFRASTRUCTURE_DESCRIPTOR} dn: CN=NTDS Quotas,${FORESTZONE_DN} objectClass: top |