5 files changed, 24 insertions, 6 deletions

diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index f48795d363..808a39db1f 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -868,7 +868,7 @@ def setup_samdb_rootdse(samdb, setup_path, names):
 
 def setup_self_join(samdb, names,
                     machinepass, dnspass, 
-                    domainsid, invocationid, setup_path,
+                    domainsid, next_rid, invocationid, setup_path,
                     policyguid, policyguid_dc, domainControllerFunctionality,
                     ntdsguid):
     """Join a host to its own domain."""
@@ -890,6 +890,7 @@ def setup_self_join(samdb, names,
               "REALM": names.realm,
               "DOMAIN": names.domain,
               "DOMAINSID": str(domainsid),
+              "DCRID": str(next_rid),
               "DNSDOMAIN": names.dnsdomain,
               "SAMBA_VERSION_STRING": version,
               "NTDSGUID": ntdsguid_line,
@@ -920,6 +921,8 @@ def setup_self_join(samdb, names,
               "NETBIOSNAME": names.netbiosname,
               "NTDSGUID": names.ntdsguid,
               "DNSPASS_B64": b64encode(dnspass),
+              "RIDALLOCATIONSTART": str(next_rid + 100),
+              "RIDALLOCATIONEND": str(next_rid + 100 + 499),
               })
 
 def getpolicypath(sysvolpath, dnsdomain, guid):
@@ -947,7 +950,8 @@ def setup_gpo(sysvolpath, dnsdomain, policyguid, policyguid_dc):
 def setup_samdb(path, setup_path, session_info, provision_backend, lp, names,
         logger, domainsid, domainguid, policyguid, policyguid_dc, fill,
         adminpass, krbtgtpass, machinepass, invocationid, dnspass, ntdsguid,
-        serverrole, am_rodc=False, dom_for_fun_level=None, schema=None):
+        serverrole, am_rodc=False, dom_for_fun_level=None, schema=None,
+        next_rid=1000):
     """Setup a complete SAM Database.
     
     :note: This will wipe the main SAM database file!
@@ -1027,6 +1031,7 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, names,
         setup_modify_ldif(samdb, setup_path("provision_basedn_modify.ldif"), {
             "CREATTIME": str(int(time.time() * 1e7)), # seconds -> ticks
             "DOMAINSID": str(domainsid),
+            "NEXTRID": str(next_rid),
             "SCHEMADN": names.schemadn, 
             "NETBIOSNAME": names.netbiosname,
             "DEFAULTSITE": names.sitename,
@@ -1109,6 +1114,7 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, names,
             "DEFAULTSITE": names.sitename,
             "CONFIGDN": names.configdn,
             "SERVERDN": names.serverdn,
+            "RIDAVAILABLESTART": str(next_rid + 600),
             "POLICYGUID_DC": policyguid_dc
             })
 
@@ -1132,7 +1138,9 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, names,
             setup_self_join(samdb, names=names, invocationid=invocationid,
                             dnspass=dnspass,
                             machinepass=machinepass,
-                            domainsid=domainsid, policyguid=policyguid,
+                            domainsid=domainsid,
+                            next_rid=next_rid,
+                            policyguid=policyguid,
                             policyguid_dc=policyguid_dc,
                             setup_path=setup_path,
                             domainControllerFunctionality=domainControllerFunctionality,
diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif
index 7ba3183c94..2159aeff98 100644
--- a/source4/setup/provision.ldif
+++ b/source4/setup/provision.ldif
@@ -809,7 +809,7 @@ dn: CN=RID Manager$,CN=System,${DOMAINDN}
 objectClass: top
 objectClass: rIDManager
 systemFlags: -1946157056
-rIDAvailablePool: 1001-1073741823
+rIDAvailablePool: ${RIDAVAILABLESTART}-1073741823
 isCriticalSystemObject: TRUE
 
 dn: CN=RpcServices,CN=System,${DOMAINDN}
diff --git a/source4/setup/provision_basedn_modify.ldif b/source4/setup/provision_basedn_modify.ldif
index 1d5345c60e..b4f3016770 100644
--- a/source4/setup/provision_basedn_modify.ldif
+++ b/source4/setup/provision_basedn_modify.ldif
@@ -68,7 +68,7 @@ replace: msDS-PerUserTrustTombstonesQuota
 msDS-PerUserTrustTombstonesQuota: 10
 -
 replace: nextRid
-nextRid: 1000
+nextRid: ${NEXTRID}
 -
 replace: nTMixedDomain
 nTMixedDomain: 0
diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif
index d4d06f6e63..2530a0e788 100644
--- a/source4/setup/provision_self_join.ldif
+++ b/source4/setup/provision_self_join.ldif
@@ -32,7 +32,7 @@ servicePrincipalName: ldap/${DNSNAME}
 servicePrincipalName: ldap/${DNSNAME}/${REALM}
 userAccountControl: 532480
 userPassword:: ${MACHINEPASS_B64}
-objectSID: ${DOMAINSID}-1000
+objectSID: ${DOMAINSID}-${DCRID}
 
 # Here are missing the objects for the NTFRS subscription since we don't
 # support this technique yet.
diff --git a/source4/setup/provision_self_join_modify.ldif b/source4/setup/provision_self_join_modify.ldif
index f81a2b69c7..c2bba888b7 100644
--- a/source4/setup/provision_self_join_modify.ldif
+++ b/source4/setup/provision_self_join_modify.ldif
@@ -28,11 +28,21 @@ changetype: modify
 replace: interSiteTopologyGenerator
 interSiteTopologyGenerator: CN=NTDS Settings,${SERVERDN}
 
+dn: CN=RID Set,CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
+changetype: add
+objectClass: rIDSet
+rIDAllocationPool: ${RIDALLOCATIONSTART}-${RIDALLOCATIONEND}
+rIDPreviousAllocationPool: ${RIDALLOCATIONSTART}-${RIDALLOCATIONEND}
+rIDUsedPool: 0
+rIDNextRID: ${RIDALLOCATIONSTART}
+
 dn: CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
 changetype: modify
 add: servicePrincipalName
 servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/${NTDSGUID}/${DNSDOMAIN}
 servicePrincipalName: ldap/${NTDSGUID}._msdcs.${DNSDOMAIN}
+add: rIDSetReferences
+rIDSetReferences: CN=RID Set,CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
 
 # NOTE: This account is SAMBA4 specific!
 dn: CN=dns,CN=Users,${DOMAINDN}