Rework to have member server 'domains' be CN=NETBIOSNAME

This reworks quite a few parts of our provision system to use
CN=NETBIOSNAME as the domain for member servers.

This makes it clear that these domains are not in the DNS structure,
while complying with our own schema (found by OpenLDAP's schema
validation).

Andrew Bartlett
(This used to be commit bda6a38b055fed2394e65cdc0b308a1442116402)

7 files changed, 49 insertions, 6 deletions

diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 88c8afd6cc..3be60ac452 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -1464,7 +1464,7 @@ int samdb_search_for_parent_domain(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
 	
 	while ((sdn = ldb_dn_get_parent(local_ctx, sdn))) {
 		ret = ldb_search(ldb, sdn, LDB_SCOPE_BASE, 
-				 "(|(objectClass=domain)(objectClass=builtinDomain))", attrs, &res);
+				 "(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain))", attrs, &res);
 		if (ret == LDB_SUCCESS) {
 			talloc_steal(local_ctx, res);
 			if (res->count == 1) {
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index aa64700f2f..ec19e0d49e 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -1220,7 +1220,7 @@ static int build_domain_data_request(struct ph_context *ac)
 	ac->dom_req->op.search.base = ldb_get_default_basedn(ac->module->ldb);
 	ac->dom_req->op.search.scope = LDB_SCOPE_SUBTREE;
 
-	filter = talloc_asprintf(ac->dom_req, "(&(objectSid=%s)(|(objectClass=domain)(objectClass=builtinDomain)))", 
+	filter = talloc_asprintf(ac->dom_req, "(&(objectSid=%s)(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain)))", 
 				 ldap_encode_ndr_dom_sid(ac->dom_req, ac->domain_sid));
 	if (filter == NULL) {
 		ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index 8193e0a882..da03d83dbc 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -425,7 +425,7 @@ static NTSTATUS dcesrv_samr_OpenDomain(struct dcesrv_call_state *dce_call, TALLO
 
 	ret = gendb_search(c_state->sam_ctx,
 			   mem_ctx, NULL, &dom_msgs, dom_attrs,
-			   "(&(objectSid=%s)(&(|(objectclass=domain)(objectClass=builtinDomain))))",
+			   "(&(objectSid=%s)(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain)))", 
 			   ldap_encode_ndr_dom_sid(mem_ctx, r->in.sid));
 	if (ret == 0) {
 		return NT_STATUS_NO_SUCH_DOMAIN;
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index f9604a84b2..25316e888a 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -763,9 +763,15 @@ def setup_samdb(path, setup_path, session_info, credentials, lp,
         
     try:
         message("Adding DomainDN: %s (permitted to fail)" % names.domaindn)
+        if serverrole == "domain controller":
+            domain_oc = "domainDNS"
+        else:
+            domain_oc = "samba4LocalDomain"
+
         setup_add_ldif(samdb, setup_path("provision_basedn.ldif"), {
             "DOMAINDN": names.domaindn,
             "ACI": aci,
+            "DOMAIN_OC": domain_oc
             })
 
         message("Modifying DomainDN: " + names.domaindn + "")
diff --git a/source4/selftest/target/Samba4.pm b/source4/selftest/target/Samba4.pm
index 2b94135355..416a376f68 100644
--- a/source4/selftest/target/Samba4.pm
+++ b/source4/selftest/target/Samba4.pm
@@ -544,7 +544,7 @@ sub provision($$$$$$)
 
 
 	my $localbasedn = $basedn;
-	$localbasedn = "DC=$netbiosname" if $server_role eq "member server";
+	$localbasedn = "CN=$netbiosname" if $server_role eq "member server";
 
 	open(CONFFILE, ">$conffile");
 	print CONFFILE "
diff --git a/source4/setup/provision_basedn.ldif b/source4/setup/provision_basedn.ldif
index 11eb0593e8..7fdecfa3c0 100644
--- a/source4/setup/provision_basedn.ldif
+++ b/source4/setup/provision_basedn.ldif
@@ -3,7 +3,6 @@
 ################################
 dn: ${DOMAINDN}
 objectClass: top
-objectClass: domain
-objectClass: domainDNS
+objectClass: ${DOMAIN_OC}
 ${ACI}
 
diff --git a/source4/setup/schema_samba4.ldif b/source4/setup/schema_samba4.ldif
index 8bd1705468..7146091c8e 100644
--- a/source4/setup/schema_samba4.ldif
+++ b/source4/setup/schema_samba4.ldif
@@ -194,3 +194,41 @@ attributeID: 1.3.6.1.4.1.7165.4.1.11
 attributeSyntax: 2.5.5.4
 oMSyntax: 20
 
+#
+# Based on domainDNS, but without the DNS bits.
+#
+
+dn: CN=Samba4-Local-Domain,${SCHEMADN}
+objectClass: top
+objectClass: classSchema
+subClassOf: top
+governsID: 1.3.6.1.4.1.7165.4.2.2
+possibleInferiors: group
+possibleInferiors: lostAndFound
+possibleInferiors: builtinDomain
+possibleInferiors: computer
+possibleInferiors: user
+possibleInferiors: container
+possibleInferiors: groupPolicyContainer
+possibleInferiors: organization
+possibleInferiors: domainDNS
+possibleInferiors: locality
+possibleInferiors: msDS-AzAdminManager
+possibleInferiors: country
+possibleInferiors: organizationalUnit
+rDNAttID: cn
+showInAdvancedViewOnly: TRUE
+adminDisplayName: Samba4-Local-Domain
+adminDescription: Samba4-Local-Domain
+systemMayContain: msDS-Behavior-Version
+systemMayContain: managedBy
+objectClassCategory: 1
+lDAPDisplayName: samba4LocalDomain
+schemaIDGUID: 07be1647-8310-4fba-91ae-34e55d5a8293
+systemOnly: FALSE
+systemAuxiliaryClass: samDomainBase
+defaultSecurityDescriptor: D:(A;;RPLCLORC;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
+systemFlags: 16
+defaultHidingValue: TRUE
+defaultObjectCategory: CN=Builtin-Domain,${SCHEMADN}
+