diff options
author | Stefan Metzmacher <metze@samba.org> | 2013-01-23 16:27:17 +0100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2013-01-27 20:14:21 +1100 |
commit | a477649e568577875be577c70a6b25cbeea6985a (patch) | |
tree | f9fafa600be23bf649c008df5ac9ad5eafd346e2 /source4 | |
parent | 1de5c2f78544385d2fe270d766fc1ca6726d71fb (diff) | |
download | samba-a477649e568577875be577c70a6b25cbeea6985a.tar.gz samba-a477649e568577875be577c70a6b25cbeea6985a.tar.bz2 samba-a477649e568577875be577c70a6b25cbeea6985a.zip |
provision: fix nTSecurityDescriptor attributes of CN=*,${CONFIGDN} (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4')
-rw-r--r-- | source4/scripting/python/samba/provision/__init__.py | 21 | ||||
-rw-r--r-- | source4/setup/provision_configuration.ldif | 6 | ||||
-rw-r--r-- | source4/setup/provision_configuration_modify.ldif | 6 | ||||
-rw-r--r-- | source4/setup/provision_well_known_sec_princ.ldif | 1 |
4 files changed, 34 insertions, 0 deletions
diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index cd29e0c95c..8f4928ce2b 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -1298,8 +1298,14 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it if fill == FILL_FULL: logger.info("Setting up sam.ldb configuration data") + partitions_descr = b64encode(get_config_partitions_descriptor(domainsid)) sites_descr = b64encode(get_config_sites_descriptor(domainsid)) + ntdsquotas_descr = b64encode(get_config_ntds_quotas_descriptor(domainsid)) + protected1_descr = b64encode(get_config_delete_protected1_descriptor(domainsid)) + protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(domainsid)) + protected2_descr = b64encode(get_config_delete_protected2_descriptor(domainsid)) + setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), { "CONFIGDN": names.configdn, "NETBIOSNAME": names.netbiosname, @@ -1311,6 +1317,12 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, "SERVERDN": names.serverdn, "FOREST_FUNCTIONALITY": str(forestFunctionality), "DOMAIN_FUNCTIONALITY": str(domainFunctionality), + "NTDSQUOTAS_DESCRIPTOR": ntdsquotas_descr, + "LOSTANDFOUND_DESCRIPTOR": protected1wd_descr, + "SERVICES_DESCRIPTOR": protected1_descr, + "PHYSICALLOCATIONS_DESCRIPTOR": protected1wd_descr, + "FORESTUPDATES_DESCRIPTOR": protected1wd_descr, + "EXTENDEDRIGHTS_DESCRIPTOR": protected2_descr, "PARTITIONS_DESCRIPTOR": partitions_descr, "SITES_DESCRIPTOR": sites_descr, }) @@ -1323,6 +1335,13 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, check_all_substituted(display_specifiers_ldif) samdb.add_ldif(display_specifiers_ldif) + logger.info("Modifying display specifiers") + setup_modify_ldif(samdb, + setup_path("provision_configuration_modify.ldif"), { + "CONFIGDN": names.configdn, + "DISPLAYSPECIFIERS_DESCRIPTOR": protected2_descr + }) + logger.info("Adding users container") users_desc = b64encode(get_domain_users_descriptor(domainsid)) setup_add_ldif(samdb, setup_path("provision_users_add.ldif"), { @@ -1372,8 +1391,10 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, "SCHEMADN": names.schemadn}) logger.info("Setting up well known security principals") + protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(domainsid)) setup_add_ldif(samdb, setup_path("provision_well_known_sec_princ.ldif"), { "CONFIGDN": names.configdn, + "WELLKNOWNPRINCIPALS_DESCRIPTOR": protected1wd_descr, }) if fill == FILL_FULL or fill == FILL_SUBDOMAIN: diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif index 1d818ef95c..42de84afad 100644 --- a/source4/setup/provision_configuration.ldif +++ b/source4/setup/provision_configuration.ldif @@ -21,6 +21,7 @@ dn: CN=Extended-Rights,${CONFIGDN} objectClass: top objectClass: container systemFlags: -2147483648 +nTSecurityDescriptor:: ${EXTENDEDRIGHTS_DESCRIPTOR} dn: CN=Change-Rid-Master,CN=Extended-Rights,${CONFIGDN} objectClass: top @@ -706,6 +707,7 @@ validAccesses: 48 dn: CN=ForestUpdates,${CONFIGDN} objectClass: top objectClass: container +nTSecurityDescriptor:: ${FORESTUPDATES_DESCRIPTOR} dn: CN=ActiveDirectoryRodcUpdate,CN=ForestUpdates,${CONFIGDN} objectClass: top @@ -1001,6 +1003,7 @@ dn: CN=LostAndFoundConfig,${CONFIGDN} objectClass: top objectClass: lostAndFound systemFlags: -2147483648 +nTSecurityDescriptor:: ${LOSTANDFOUND_DESCRIPTOR} dn: CN=NTDS Quotas,${CONFIGDN} objectClass: top @@ -1009,6 +1012,7 @@ description: Quota specifications container isCriticalSystemObject: TRUE msDS-TombstoneQuotaFactor: 100 systemFlags: -2147483648 +nTSecurityDescriptor:: ${NTDSQUOTAS_DESCRIPTOR} # Partitions @@ -1053,6 +1057,7 @@ objectClass: top objectClass: locality objectClass: physicalLocation l: Physical Locations tree root +nTSecurityDescriptor:: ${PHYSICALLOCATIONS_DESCRIPTOR} # Schema located in "ad-schema/*.txt" @@ -1062,6 +1067,7 @@ dn: CN=Services,${CONFIGDN} objectClass: top objectClass: container systemFlags: -2147483648 +nTSecurityDescriptor:: ${SERVICES_DESCRIPTOR} dn: CN=MsmqServices,CN=Services,${CONFIGDN} objectClass: top diff --git a/source4/setup/provision_configuration_modify.ldif b/source4/setup/provision_configuration_modify.ldif new file mode 100644 index 0000000000..6840604f67 --- /dev/null +++ b/source4/setup/provision_configuration_modify.ldif @@ -0,0 +1,6 @@ +dn: CN=DisplaySpecifiers,${CONFIGDN} +changetype: modify +- +replace: nTSecurityDescriptor +nTSecurityDescriptor:: ${DISPLAYSPECIFIERS_DESCRIPTOR} +- diff --git a/source4/setup/provision_well_known_sec_princ.ldif b/source4/setup/provision_well_known_sec_princ.ldif index 54691bd796..1817382a69 100644 --- a/source4/setup/provision_well_known_sec_princ.ldif +++ b/source4/setup/provision_well_known_sec_princ.ldif @@ -4,6 +4,7 @@ dn: CN=WellKnown Security Principals,${CONFIGDN} objectClass: top objectClass: container systemFlags: -2147483648 +nTSecurityDescriptor:: ${WELLKNOWNPRINCIPALS_DESCRIPTOR} dn: CN=Anonymous Logon,CN=WellKnown Security Principals,${CONFIGDN} objectClass: top |