summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2013-01-23 16:27:17 +0100
committerAndrew Bartlett <abartlet@samba.org>2013-01-27 20:14:21 +1100
commit5cf98823cc804906833f7ea763f99de0147b0fee (patch)
tree7fe5ade5b05fbda6e36c299391787d98af918460 /source4
parenta477649e568577875be577c70a6b25cbeea6985a (diff)
downloadsamba-5cf98823cc804906833f7ea763f99de0147b0fee.tar.gz
samba-5cf98823cc804906833f7ea763f99de0147b0fee.tar.bz2
samba-5cf98823cc804906833f7ea763f99de0147b0fee.zip
provision: fix nTSecurityDescriptor of containers in the DnsZones (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4')
-rw-r--r--source4/scripting/python/samba/provision/sambadns.py30
-rw-r--r--source4/setup/provision_dnszones_add.ldif4
2 files changed, 23 insertions, 11 deletions
diff --git a/source4/scripting/python/samba/provision/sambadns.py b/source4/scripting/python/samba/provision/sambadns.py
index a66fde1425..740dd38417 100644
--- a/source4/scripting/python/samba/provision/sambadns.py
+++ b/source4/scripting/python/samba/provision/sambadns.py
@@ -37,7 +37,11 @@ from samba.dsdb import (
)
from samba.provision.descriptor import (
get_domain_descriptor,
- get_dns_partition_descriptor
+ get_domain_delete_protected1_descriptor,
+ get_domain_delete_protected2_descriptor,
+ get_dns_partition_descriptor,
+ get_dns_forest_microsoft_dns_descriptor,
+ get_dns_domain_microsoft_dns_descriptor
)
from samba.provision.common import (
setup_path,
@@ -244,6 +248,8 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
domainzone_dns = ldb.Dn(samdb, domainzone_dn).canonical_ex_str().strip()
forestzone_dns = ldb.Dn(samdb, forestzone_dn).canonical_ex_str().strip()
+ protected1_desc = get_domain_delete_protected1_descriptor(domainsid)
+ protected2_desc = get_domain_delete_protected2_descriptor(domainsid)
setup_add_ldif(samdb, setup_path("provision_dnszones_add.ldif"), {
"DOMAINZONE_DN": domainzone_dn,
"FORESTZONE_DN": forestzone_dn,
@@ -253,6 +259,8 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
"FORESTZONE_DNS": forestzone_dns,
"CONFIGDN": configdn,
"SERVERDN": serverdn,
+ "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc),
+ "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc),
})
setup_modify_ldif(samdb, setup_path("provision_dnszones_modify.ldif"), {
@@ -269,18 +277,18 @@ def add_dns_accounts(samdb, domaindn):
})
-def add_dns_container(samdb, domaindn, prefix, domainsid, dnsadmins_sid):
+def add_dns_container(samdb, domaindn, prefix, domain_sid, dnsadmins_sid, forest=False):
+ name_map = {'DnsAdmins': str(dnsadmins_sid)}
+ if forest is True:
+ sd_val = get_dns_forest_microsoft_dns_descriptor(domain_sid,
+ name_map=name_map)
+ else:
+ sd_val = get_dns_domain_microsoft_dns_descriptor(domain_sid,
+ name_map=name_map)
# CN=MicrosoftDNS,<PREFIX>,<DOMAINDN>
- sddl = "O:SYG:SYD:AI" \
- "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" \
- "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;%s)" \
- "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
- "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)" \
- "S:AI" % dnsadmins_sid
- sec = security.descriptor.from_sddl(sddl, domainsid)
msg = ldb.Message(ldb.Dn(samdb, "CN=MicrosoftDNS,%s,%s" % (prefix, domaindn)))
msg["objectClass"] = ["top", "container"]
- msg["nTSecurityDescriptor"] = ldb.MessageElement(ndr_pack(sec), ldb.FLAG_MOD_ADD,
+ msg["nTSecurityDescriptor"] = ldb.MessageElement(sd_val, ldb.FLAG_MOD_ADD,
"nTSecurityDescriptor")
samdb.add(msg)
@@ -942,7 +950,7 @@ def create_dns_partitions(samdb, domainsid, names, domaindn, forestdn,
add_dns_container(samdb, domaindn, "DC=DomainDnsZones", domainsid,
dnsadmins_sid)
add_dns_container(samdb, forestdn, "DC=ForestDnsZones", domainsid,
- dnsadmins_sid)
+ dnsadmins_sid, forest=True)
def fill_dns_data_partitions(samdb, domainsid, site, domaindn, forestdn,
diff --git a/source4/setup/provision_dnszones_add.ldif b/source4/setup/provision_dnszones_add.ldif
index bd97bb9aac..bf872f0b64 100644
--- a/source4/setup/provision_dnszones_add.ldif
+++ b/source4/setup/provision_dnszones_add.ldif
@@ -14,12 +14,14 @@ objectClass: top
objectClass: lostAndFound
isCriticalSystemObject: TRUE
systemFlags: -1946157056
+nTSecurityDescriptor:: ${LOSTANDFOUND_DESCRIPTOR}
dn: CN=Infrastructure,${DOMAINZONE_DN}
objectClass: top
objectClass: infrastructureUpdate
isCriticalSystemObject: TRUE
systemFlags: -1946157056
+nTSecurityDescriptor:: ${INFRASTRUCTURE_DESCRIPTOR}
dn: CN=NTDS Quotas,${DOMAINZONE_DN}
objectClass: top
@@ -41,12 +43,14 @@ objectClass: top
objectClass: lostAndFound
isCriticalSystemObject: TRUE
systemFlags: -1946157056
+nTSecurityDescriptor:: ${LOSTANDFOUND_DESCRIPTOR}
dn: CN=Infrastructure,${FORESTZONE_DN}
objectClass: top
objectClass: infrastructureUpdate
isCriticalSystemObject: TRUE
systemFlags: -1946157056
+nTSecurityDescriptor:: ${INFRASTRUCTURE_DESCRIPTOR}
dn: CN=NTDS Quotas,${FORESTZONE_DN}
objectClass: top