diff options
-rw-r--r-- | source4/scripting/python/samba/provision/__init__.py | 7 | ||||
-rw-r--r-- | source4/scripting/python/samba/provision/descriptor.py | 9 | ||||
-rw-r--r-- | source4/setup/provision.ldif | 1 |
3 files changed, 15 insertions, 2 deletions
diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index 5e80d63d4a..74288c1347 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -81,7 +81,8 @@ from samba.provision.descriptor import ( get_config_descriptor, get_config_partitions_descriptor, get_config_sites_descriptor, - get_domain_descriptor + get_domain_descriptor, + get_domain_infrastructure_descriptor, ) from samba.provision.common import ( setup_path, @@ -1296,6 +1297,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, setup_path("provision_computers_modify.ldif"), { "DOMAINDN": names.domaindn}) logger.info("Setting up sam.ldb data") + infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(domainsid)) setup_add_ldif(samdb, setup_path("provision.ldif"), { "CREATTIME": str(samba.unix2nttime(int(time.time()))), "DOMAINDN": names.domaindn, @@ -1304,7 +1306,8 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, "CONFIGDN": names.configdn, "SERVERDN": names.serverdn, "RIDAVAILABLESTART": str(next_rid + 600), - "POLICYGUID_DC": policyguid_dc + "POLICYGUID_DC": policyguid_dc, + "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc, }) # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py index 2deb550073..db38e19a3e 100644 --- a/source4/scripting/python/samba/provision/descriptor.py +++ b/source4/scripting/python/samba/provision/descriptor.py @@ -143,6 +143,15 @@ def get_domain_descriptor(domain_sid): sec = security.descriptor.from_sddl(sddl, domain_sid) return ndr_pack(sec) +def get_domain_infrastructure_descriptor(domain_sid): + sddl = "D:" \ + "(A;;RPLCLORC;;;AU)" \ + "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \ + "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ + "S:" \ + "(AU;SA;WPCR;;;WD)" + sec = security.descriptor.from_sddl(sddl, domain_sid) + return ndr_pack(sec) def get_dns_partition_descriptor(domainsid): sddl = "O:SYG:BAD:AI" \ diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif index 2db01f9bb9..0dcb7d41cd 100644 --- a/source4/setup/provision.ldif +++ b/source4/setup/provision.ldif @@ -63,6 +63,7 @@ objectClass: top objectClass: infrastructureUpdate systemFlags: -1946157056 isCriticalSystemObject: TRUE +nTSecurityDescriptor:: ${INFRASTRUCTURE_DESCRIPTOR} dn: CN=LostAndFound,${DOMAINDN} objectClass: top |