summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/scripting/python/samba/provision/__init__.py7
-rw-r--r--source4/scripting/python/samba/provision/descriptor.py9
-rw-r--r--source4/setup/provision.ldif1
3 files changed, 15 insertions, 2 deletions
diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py
index 5e80d63d4a..74288c1347 100644
--- a/source4/scripting/python/samba/provision/__init__.py
+++ b/source4/scripting/python/samba/provision/__init__.py
@@ -81,7 +81,8 @@ from samba.provision.descriptor import (
get_config_descriptor,
get_config_partitions_descriptor,
get_config_sites_descriptor,
- get_domain_descriptor
+ get_domain_descriptor,
+ get_domain_infrastructure_descriptor,
)
from samba.provision.common import (
setup_path,
@@ -1296,6 +1297,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
setup_path("provision_computers_modify.ldif"), {
"DOMAINDN": names.domaindn})
logger.info("Setting up sam.ldb data")
+ infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(domainsid))
setup_add_ldif(samdb, setup_path("provision.ldif"), {
"CREATTIME": str(samba.unix2nttime(int(time.time()))),
"DOMAINDN": names.domaindn,
@@ -1304,7 +1306,8 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
"CONFIGDN": names.configdn,
"SERVERDN": names.serverdn,
"RIDAVAILABLESTART": str(next_rid + 600),
- "POLICYGUID_DC": policyguid_dc
+ "POLICYGUID_DC": policyguid_dc,
+ "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc,
})
# If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py
index 2deb550073..db38e19a3e 100644
--- a/source4/scripting/python/samba/provision/descriptor.py
+++ b/source4/scripting/python/samba/provision/descriptor.py
@@ -143,6 +143,15 @@ def get_domain_descriptor(domain_sid):
sec = security.descriptor.from_sddl(sddl, domain_sid)
return ndr_pack(sec)
+def get_domain_infrastructure_descriptor(domain_sid):
+ sddl = "D:" \
+ "(A;;RPLCLORC;;;AU)" \
+ "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \
+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+ "S:" \
+ "(AU;SA;WPCR;;;WD)"
+ sec = security.descriptor.from_sddl(sddl, domain_sid)
+ return ndr_pack(sec)
def get_dns_partition_descriptor(domainsid):
sddl = "O:SYG:BAD:AI" \
diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif
index 2db01f9bb9..0dcb7d41cd 100644
--- a/source4/setup/provision.ldif
+++ b/source4/setup/provision.ldif
@@ -63,6 +63,7 @@ objectClass: top
objectClass: infrastructureUpdate
systemFlags: -1946157056
isCriticalSystemObject: TRUE
+nTSecurityDescriptor:: ${INFRASTRUCTURE_DESCRIPTOR}
dn: CN=LostAndFound,${DOMAINDN}
objectClass: top