diff options
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/samldb.c | 17 | ||||
-rw-r--r-- | source4/scripting/libjs/provision.js | 2 | ||||
-rw-r--r-- | source4/setup/provision.ldif | 232 | ||||
-rw-r--r-- | source4/setup/provision_templates.ldif | 150 |
4 files changed, 164 insertions, 237 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 3a0368db69..40b6b72713 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -347,7 +347,7 @@ static int samldb_copy_template(struct ldb_module *module, struct ldb_message *m if (strcasecmp(el->name, "cn") == 0 || strcasecmp(el->name, "name") == 0 || strcasecmp(el->name, "sAMAccountName") == 0 || - strcasecmp(el->name, "objectGUID")) { + strcasecmp(el->name, "objectGUID") == 0) { continue; } for (j = 0; j < el->num_values; j++) { @@ -395,7 +395,7 @@ static struct ldb_message *samldb_fill_group_object(struct ldb_module *module, c return NULL; } - if (samldb_copy_template(module, msg2, "(&(name=TemplateGroup)(objectclass=groupTemplate))") != 0) { + if (samldb_copy_template(module, msg2, "(&(CN=TemplateGroup)(objectclass=groupTemplate))") != 0) { ldb_debug(module->ldb, LDB_DEBUG_WARNING, "samldb_fill_group_object: Error copying template!\n"); return NULL; } @@ -473,9 +473,16 @@ static struct ldb_message *samldb_fill_user_or_computer_object(struct ldb_module return NULL; } - if (samldb_copy_template(module, msg2, "(&(name=TemplateUser)(objectclass=userTemplate))") != 0) { - ldb_debug(module->ldb, LDB_DEBUG_WARNING, "samldb_fill_user_or_computer_object: Error copying template!\n"); - return NULL; + if (samldb_find_attribute(msg, "objectclass", "computer") == NULL) { + if (samldb_copy_template(module, msg2, "(&(CN=TemplateMemberServer)(objectclass=userTemplate))") != 0) { + ldb_debug(module->ldb, LDB_DEBUG_WARNING, "samldb_fill_user_or_computer_object: Error copying computer template!\n"); + return NULL; + } + } else { + if (samldb_copy_template(module, msg2, "(&(CN=TemplateUser)(objectclass=userTemplate))") != 0) { + ldb_debug(module->ldb, LDB_DEBUG_WARNING, "samldb_fill_user_or_computer_object: Error copying user template!\n"); + return NULL; + } } if ( ! samldb_get_rdn_and_basedn(msg2, msg2->dn, &rdn, &basedn)) { diff --git a/source4/scripting/libjs/provision.js b/source4/scripting/libjs/provision.js index db71392d8c..38f3fc066e 100644 --- a/source4/scripting/libjs/provision.js +++ b/source4/scripting/libjs/provision.js @@ -246,6 +246,8 @@ function provision(subobj, message) setup_ldb("hklm.ldif", "hklm.ldb", subobj); message("Setting up sam.ldb attributes\n"); setup_ldb("provision_init.ldif", "sam.ldb", subobj); + message("Setting up sam.ldb templates\n"); + setup_ldb("provision_templates.ldif", "sam.ldb", subobj, NULL, false); message("Setting up sam.ldb data\n"); setup_ldb("provision.ldif", "sam.ldb", subobj, data, false); message("Setting up rootdse.ldb\n"); diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif index bc4505e8a4..10ea5248c8 100644 --- a/source4/setup/provision.ldif +++ b/source4/setup/provision.ldif @@ -191,7 +191,6 @@ objectClass: organizationalPerson objectClass: user cn: Administrator description: Built-in account for administering the computer/domain -instanceType: 4 uSNCreated: 1 memberOf: CN=Group Policy Creator Owners,CN=Users,${BASEDN} memberOf: CN=Domain Admins,CN=Users,${BASEDN} @@ -201,21 +200,10 @@ memberOf: CN=Administrators,CN=Builtin,${BASEDN} uSNChanged: 1 name: Administrator userAccountControl: 0x10200 -badPwdCount: 0 -codePage: 0 -countryCode: 0 -badPasswordTime: 0 -lastLogoff: 0 -lastLogon: 0 -pwdLastSet: 0 -primaryGroupID: 513 objectSid: ${DOMAINSID}-500 adminCount: 1 accountExpires: -1 -logonCount: 0 sAMAccountName: Administrator -sAMAccountType: 0x30000000 -objectCategory: CN=Person,CN=Schema,CN=Configuration,${BASEDN} isCriticalSystemObject: TRUE unicodePwd: ${ADMINPASS} unixName: ${ROOT} @@ -227,26 +215,14 @@ objectClass: organizationalPerson objectClass: user cn: Guest description: Built-in account for guest access to the computer/domain -instanceType: 4 uSNCreated: 1 memberOf: CN=Guests,CN=Builtin,${BASEDN} uSNChanged: 1 name: Guest userAccountControl: 0x10222 -badPwdCount: 0 -codePage: 0 -countryCode: 0 -badPasswordTime: 0 -lastLogoff: 0 -lastLogon: 0 -pwdLastSet: 0 primaryGroupID: 514 objectSid: ${DOMAINSID}-501 -accountExpires: -1 -logonCount: 0 sAMAccountName: Guest -sAMAccountType: 0x30000000 -objectCategory: CN=Person,CN=Schema,CN=Configuration,${BASEDN} isCriticalSystemObject: TRUE dn: CN=Administrators,CN=Builtin,${BASEDN} @@ -257,7 +233,6 @@ description: Administrators have complete and unrestricted access to the compute member: CN=Domain Admins,CN=Users,${BASEDN} member: CN=Enterprise Admins,CN=Users,${BASEDN} member: CN=Administrator,CN=Users,${BASEDN} -instanceType: 4 uSNCreated: 1 uSNChanged: 1 name: Administrators @@ -302,7 +277,6 @@ objectClass: group cn: Users description: Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications member: CN=Domain Users,CN=Users,${BASEDN} -instanceType: 4 uSNCreated: 1 uSNChanged: 1 name: Users @@ -321,7 +295,6 @@ cn: Guests description: Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted member: CN=Domain Guests,CN=Users,${BASEDN} member: CN=Guest,CN=Users,${BASEDN} -instanceType: 4 uSNCreated: 1 uSNChanged: 1 name: Guests @@ -339,7 +312,6 @@ objectClass: top objectClass: group cn: Print Operators description: Members can administer domain printers -instanceType: 4 uSNCreated: 1 uSNChanged: 1 name: Print Operators @@ -360,7 +332,6 @@ objectClass: top objectClass: group cn: Backup Operators description: Backup Operators can override security restrictions for the sole purpose of backing up or restoring files -instanceType: 4 uSNCreated: 1 uSNChanged: 1 name: Backup Operators @@ -382,7 +353,6 @@ objectClass: top objectClass: group cn: Replicator description: Supports file replication in a domain -instanceType: 4 uSNCreated: 1 uSNChanged: 1 name: Replicator @@ -400,7 +370,6 @@ objectClass: top objectClass: group cn: Remote Desktop Users description: Members in this group are granted the right to logon remotely -instanceType: 4 uSNCreated: 1 uSNChanged: 1 name: Remote Desktop Users @@ -417,7 +386,6 @@ objectClass: top objectClass: group cn: Network Configuration Operators description: Members in this group can have some administrative privileges to manage configuration of networking features -instanceType: 4 uSNCreated: 1 uSNChanged: 1 name: Network Configuration Operators @@ -434,7 +402,6 @@ objectClass: top objectClass: group cn: Performance Monitor Users description: Members of this group have remote access to monitor this computer -instanceType: 4 uSNCreated: 1 uSNChanged: 1 name: Performance Monitor Users @@ -451,7 +418,6 @@ objectClass: top objectClass: group cn: Performance Log Users description: Members of this group have remote access to schedule logging of performance counters on this computer -instanceType: 4 uSNCreated: 1 uSNChanged: 1 name: Performance Log Users @@ -467,33 +433,24 @@ dn: CN=${NETBIOSNAME},OU=Domain Controllers,${BASEDN} objectClass: top objectClass: person objectClass: organizationalPerson -objectClass: user objectClass: computer cn: ${NETBIOSNAME} -instanceType: 4 uSNCreated: 1 uSNChanged: 1 name: ${NETBIOSNAME} objectGUID: ${HOSTGUID} userAccountControl: 532480 -badPwdCount: 0 -codePage: 0 -countryCode: 0 -badPasswordTime: 0 -lastLogoff: 0 lastLogon: 127273269057298624 localPolicyFlags: 0 pwdLastSet: 127258826171655328 primaryGroupID: 516 objectSid: ${DOMAINSID}-1000 accountExpires: 9223372036854775807 -logonCount: 30 sAMAccountName: ${NETBIOSNAME}$ sAMAccountType: 805306369 operatingSystem: Samba operatingSystemVersion: 4.0 dNSHostName: ${DNSNAME} -objectCategory: CN=Computer,CN=Schema,CN=Configuration,${BASEDN} isCriticalSystemObject: TRUE unicodePwd: ${MACHINEPASS} servicePrincipalName: HOST/${DNSNAME} @@ -507,28 +464,18 @@ objectClass: organizationalPerson objectClass: user cn: krbtgt description: Key Distribution Center Service Account -instanceType: 4 uSNCreated: 1 uSNChanged: 1 showInAdvancedViewOnly: TRUE name: krbtgt userAccountControl: 514 -badPwdCount: 0 -codePage: 0 -countryCode: 0 -badPasswordTime: 0 -lastLogoff: 0 -lastLogon: 0 pwdLastSet: 127258826179466560 -primaryGroupID: 513 objectSid: ${DOMAINSID}-502 adminCount: 1 accountExpires: 9223372036854775807 -logonCount: 0 sAMAccountName: krbtgt sAMAccountType: 805306368 servicePrincipalName: kadmin/changepw -objectCategory: CN=Person,CN=Schema,CN=Configuration,${BASEDN} isCriticalSystemObject: TRUE unicodePwd: ${KRBTGTPASS} @@ -537,14 +484,11 @@ objectClass: top objectClass: group cn: Domain Computers description: All workstations and servers joined to the domain -instanceType: 4 uSNCreated: 1 uSNChanged: 1 name: Domain Computers objectSid: ${DOMAINSID}-515 sAMAccountName: Domain Computers -sAMAccountType: 0x10000000 -groupType: 0x80000002 objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN} isCriticalSystemObject: TRUE @@ -553,16 +497,12 @@ objectClass: top objectClass: group cn: Domain Controllers description: All domain controllers in the domain -instanceType: 4 uSNCreated: 1 uSNChanged: 1 name: Domain Controllers objectSid: ${DOMAINSID}-516 adminCount: 1 sAMAccountName: Domain Controllers -sAMAccountType: 0x10000000 -groupType: 0x80000002 -objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN} isCriticalSystemObject: TRUE dn: CN=Schema Admins,CN=Users,${BASEDN} @@ -571,16 +511,12 @@ objectClass: group cn: Schema Admins description: Designated administrators of the schema member: CN=Administrator,CN=Users,${BASEDN} -instanceType: 4 uSNCreated: 1 uSNChanged: 1 name: Schema Admins objectSid: ${DOMAINSID}-518 adminCount: 1 sAMAccountName: Schema Admins -sAMAccountType: 0x10000000 -groupType: 0x80000002 -objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN} isCriticalSystemObject: TRUE unixName: ${WHEEL} @@ -590,7 +526,6 @@ objectClass: group cn: Enterprise Admins description: Designated administrators of the enterprise member: CN=Administrator,CN=Users,${BASEDN} -instanceType: 4 uSNCreated: 1 memberOf: CN=Administrators,CN=Builtin,${BASEDN} uSNChanged: 1 @@ -598,9 +533,6 @@ name: Enterprise Admins objectSid: ${DOMAINSID}-519 adminCount: 1 sAMAccountName: Enterprise Admins -sAMAccountType: 0x10000000 -groupType: 0x80000002 -objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN} isCriticalSystemObject: TRUE unixName: ${WHEEL} @@ -609,14 +541,11 @@ objectClass: top objectClass: group cn: Cert Publishers description: Members of this group are permitted to publish certificates to the Active Directory -instanceType: 4 uSNCreated: 1 uSNChanged: 1 name: Cert Publishers objectSid: ${DOMAINSID}-517 sAMAccountName: Cert Publishers -sAMAccountType: 0x20000000 -groupType: 0x80000004 objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN} isCriticalSystemObject: TRUE @@ -626,7 +555,6 @@ objectClass: group cn: Domain Admins description: Designated administrators of the domain member: CN=Administrator,CN=Users,${BASEDN} -instanceType: 4 uSNCreated: 1 memberOf: CN=Administrators,CN=Builtin,${BASEDN} uSNChanged: 1 @@ -634,9 +562,6 @@ name: Domain Admins objectSid: ${DOMAINSID}-512 adminCount: 1 sAMAccountName: Domain Admins -sAMAccountType: 0x10000000 -groupType: 0x80000002 -objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN} isCriticalSystemObject: TRUE unixName: ${WHEEL} @@ -645,16 +570,12 @@ objectClass: top objectClass: group cn: Domain Users description: All domain users -instanceType: 4 uSNCreated: 1 memberOf: CN=Users,CN=Builtin,${BASEDN} uSNChanged: 1 name: Domain Users objectSid: ${DOMAINSID}-513 sAMAccountName: Domain Users -sAMAccountType: 0x10000000 -groupType: 0x80000002 -objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN} isCriticalSystemObject: TRUE unixName: ${USERS} @@ -663,16 +584,12 @@ objectClass: top objectClass: group cn: Domain Guests description: All domain guests -instanceType: 4 uSNCreated: 1 memberOf: CN=Guests,CN=Builtin,${BASEDN} uSNChanged: 1 name: Domain Guests objectSid: ${DOMAINSID}-514 sAMAccountName: Domain Guests -sAMAccountType: 0x10000000 -groupType: 0x80000002 -objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN} isCriticalSystemObject: TRUE dn: CN=Group Policy Creator Owners,CN=Users,${BASEDN} @@ -681,14 +598,11 @@ objectClass: group cn: Group Policy Creator Owners description: Members in this group can modify group policy for the domain member: CN=Administrator,CN=Users,${BASEDN} -instanceType: 4 uSNCreated: 1 uSNChanged: 1 name: Group Policy Creator Owners objectSid: ${DOMAINSID}-520 sAMAccountName: Group Policy Creator Owners -sAMAccountType: 0x10000000 -groupType: 0x80000002 objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN} isCriticalSystemObject: TRUE unixName: ${WHEEL} @@ -752,152 +666,6 @@ objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN} isCriticalSystemObject: TRUE privilege: SeInteractiveLogonRight -dn: CN=Templates,${BASEDN} -objectClass: top -objectClass: container -cn: Templates -description: Container for SAM account templates -instanceType: 4 -uSNCreated: 1 -uSNChanged: 1 -showInAdvancedViewOnly: TRUE -name: Templates -systemFlags: 0x8c000000 -objectCategory: CN=Container,CN=Schema,CN=Configuration,${BASEDN} -isCriticalSystemObject: TRUE - -### -# note! the template users must not match normal searches. Be careful -# with what classes you put them in -### - -dn: CN=TemplateUser,CN=Templates,${BASEDN} -objectClass: top -objectClass: person -objectClass: organizationalPerson -objectClass: Template -objectClass: userTemplate -cn: TemplateUser -name: TemplateUser -instanceType: 4 -userAccountControl: 0x202 -badPwdCount: 0 -codePage: 0 -countryCode: 0 -badPasswordTime: 0 -lastLogoff: 0 -lastLogon: 0 -pwdLastSet: 0 -primaryGroupID: 513 -accountExpires: -1 -logonCount: 0 -sAMAccountType: 0x30000000 - -dn: CN=TemplateMemberServer,CN=Templates,${BASEDN} -objectClass: top -objectClass: Template -objectClass: userTemplate -cn: TemplateMemberServer -name: TemplateMemberServer -instanceType: 4 -userAccountControl: 0x1002 -badPwdCount: 0 -codePage: 0 -countryCode: 0 -badPasswordTime: 0 -lastLogoff: 0 -lastLogon: 0 -pwdLastSet: 0 -primaryGroupID: 513 -accountExpires: -1 -logonCount: 0 -sAMAccountType: 0x30000001 - -dn: CN=TemplateDomainController,CN=Templates,${BASEDN} -objectClass: top -objectClass: Template -objectClass: userTemplate -cn: TemplateDomainController -name: TemplateDomainController -instanceType: 4 -userAccountControl: 0x2002 -badPwdCount: 0 -codePage: 0 -countryCode: 0 -badPasswordTime: 0 -lastLogoff: 0 -lastLogon: 0 -pwdLastSet: 0 -primaryGroupID: 513 -accountExpires: -1 -logonCount: 0 -sAMAccountType: 0x30000001 - -dn: CN=TemplateTrustingDomain,CN=Templates,${BASEDN} -objectClass: top -objectClass: Template -objectClass: userTemplate -cn: TemplateTrustingDomain -name: TemplateTrustingDomain -instanceType: 4 -userAccountControl: 0x820 -badPwdCount: 0 -codePage: 0 -countryCode: 0 -badPasswordTime: 0 -lastLogoff: 0 -lastLogon: 0 -pwdLastSet: 0 -primaryGroupID: 513 -accountExpires: -1 -logonCount: 0 -sAMAccountType: 0x30000002 - -dn: CN=TemplateGroup,CN=Templates,${BASEDN} -objectClass: top -objectClass: Template -objectClass: groupTemplate -cn: TemplateGroup -name: TemplateGroup -instanceType: 4 -groupType: 0x80000002 -sAMAccountType: 0x10000000 - -dn: CN=TemplateAlias,CN=Templates,${BASEDN} -objectClass: top -objectClass: Template -objectClass: aliasTemplate -cn: TemplateAlias -name: TemplateAlias -instanceType: 4 -groupType: 0x80000004 -sAMAccountType: 0x10000000 - -dn: CN=TemplateForeignSecurityPrincipal,CN=Templates,${BASEDN} -objectClass: top -objectClass: Template -objectClass: foreignSecurityPrincipalTemplate -cn: TemplateForeignSecurityPrincipal -name: TemplateForeignSecurityPrincipal - -dn: CN=TemplateSecret,CN=Templates,${BASEDN} -objectClass: top -objectClass: leaf -objectClass: Template -objectClass: secretTemplate -cn: TemplateSecret -name: TemplateSecret -instanceType: 4 - -dn: CN=TemplateTrustedDomain,CN=Templates,${BASEDN} -objectClass: top -objectClass: leaf -objectClass: Template -objectClass: trustedDomainTemplate -cn: TemplateTrustedDomain -name: TemplateTrustedDomain -instanceType: 4 - ############################### # Configuration Naming Context ############################### diff --git a/source4/setup/provision_templates.ldif b/source4/setup/provision_templates.ldif new file mode 100644 index 0000000000..43901a41e8 --- /dev/null +++ b/source4/setup/provision_templates.ldif @@ -0,0 +1,150 @@ +dn: CN=Templates,${BASEDN} +objectClass: top +objectClass: container +cn: Templates +description: Container for SAM account templates +instanceType: 4 +uSNCreated: 1 +uSNChanged: 1 +showInAdvancedViewOnly: TRUE +name: Templates +systemFlags: 0x8c000000 +objectCategory: CN=Container,CN=Schema,CN=Configuration,${BASEDN} +isCriticalSystemObject: TRUE + +### +# note! the template users must not match normal searches. Be careful +# with what classes you put them in +### + +dn: CN=TemplateUser,CN=Templates,${BASEDN} +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: Template +objectClass: userTemplate +cn: TemplateUser +name: TemplateUser +instanceType: 4 +userAccountControl: 0x202 +badPwdCount: 0 +codePage: 0 +countryCode: 0 +badPasswordTime: 0 +lastLogoff: 0 +lastLogon: 0 +pwdLastSet: 0 +primaryGroupID: 513 +accountExpires: -1 +logonCount: 0 +sAMAccountType: 0x30000000 +objectCategory: CN=Person,CN=Schema,CN=Configuration,${BASEDN} + +dn: CN=TemplateMemberServer,CN=Templates,${BASEDN} +objectClass: top +objectClass: Template +objectClass: userTemplate +cn: TemplateMemberServer +name: TemplateMemberServer +instanceType: 4 +userAccountControl: 0x1002 +badPwdCount: 0 +codePage: 0 +countryCode: 0 +badPasswordTime: 0 +lastLogoff: 0 +lastLogon: 0 +pwdLastSet: 0 +primaryGroupID: 513 +accountExpires: -1 +logonCount: 0 +sAMAccountType: 0x30000001 +objectCategory: CN=Computer,CN=Schema,CN=Configuration,${BASEDN} + +dn: CN=TemplateDomainController,CN=Templates,${BASEDN} +objectClass: top +objectClass: Template +objectClass: userTemplate +cn: TemplateDomainController +name: TemplateDomainController +instanceType: 4 +userAccountControl: 0x2002 +badPwdCount: 0 +codePage: 0 +countryCode: 0 +badPasswordTime: 0 +lastLogoff: 0 +lastLogon: 0 +pwdLastSet: 0 +primaryGroupID: 513 +accountExpires: -1 +logonCount: 0 +sAMAccountType: 0x30000001 +objectCategory: CN=Computer,CN=Schema,CN=Configuration,${BASEDN} + +dn: CN=TemplateTrustingDomain,CN=Templates,${BASEDN} +objectClass: top +objectClass: Template +objectClass: userTemplate +cn: TemplateTrustingDomain +name: TemplateTrustingDomain +instanceType: 4 +userAccountControl: 0x820 +badPwdCount: 0 +codePage: 0 +countryCode: 0 +badPasswordTime: 0 +lastLogoff: 0 +lastLogon: 0 +pwdLastSet: 0 +primaryGroupID: 513 +accountExpires: -1 +logonCount: 0 +sAMAccountType: 0x30000002 + +dn: CN=TemplateGroup,CN=Templates,${BASEDN} +objectClass: top +objectClass: Template +objectClass: groupTemplate +cn: TemplateGroup +name: TemplateGroup +instanceType: 4 +groupType: 0x80000002 +sAMAccountType: 0x10000000 +objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN} + +dn: CN=TemplateAlias,CN=Templates,${BASEDN} +objectClass: top +objectClass: Template +objectClass: aliasTemplate +cn: TemplateAlias +name: TemplateAlias +instanceType: 4 +groupType: 0x80000004 +sAMAccountType: 0x10000000 + +dn: CN=TemplateForeignSecurityPrincipal,CN=Templates,${BASEDN} +objectClass: top +objectClass: Template +objectClass: foreignSecurityPrincipalTemplate +cn: TemplateForeignSecurityPrincipal +name: TemplateForeignSecurityPrincipal + +dn: CN=TemplateSecret,CN=Templates,${BASEDN} +objectClass: top +objectClass: leaf +objectClass: Template +objectClass: secretTemplate +cn: TemplateSecret +name: TemplateSecret +instanceType: 4 + +dn: CN=TemplateTrustedDomain,CN=Templates,${BASEDN} +objectClass: top +objectClass: leaf +objectClass: Template +objectClass: trustedDomainTemplate +cn: TemplateTrustedDomain +name: TemplateTrustedDomain +instanceType: 4 + |