summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
Diffstat (limited to 'source4')
-rw-r--r--source4/libnet/libnet_samsync_ldb.c141
-rw-r--r--source4/rpc_server/lsa/dcesrv_lsa.c56
-rw-r--r--source4/rpc_server/samr/dcesrv_samr.c26
-rw-r--r--source4/scripting/libjs/provision.js19
-rwxr-xr-xsource4/setup/provision6
-rw-r--r--source4/setup/provision.ldif459
-rw-r--r--source4/setup/provision_templates.ldif3
-rw-r--r--source4/setup/provision_users.ldif459
8 files changed, 638 insertions, 531 deletions
diff --git a/source4/libnet/libnet_samsync_ldb.c b/source4/libnet/libnet_samsync_ldb.c
index 2414b2795f..38d6d267b8 100644
--- a/source4/libnet/libnet_samsync_ldb.c
+++ b/source4/libnet/libnet_samsync_ldb.c
@@ -5,6 +5,7 @@
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
Copyright (C) Andrew Tridgell 2004
+ Copyright (C) Volker Lendecke 2004
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -50,6 +51,56 @@ struct samsync_ldb_state {
struct samsync_ldb_trusted_domain *trusted_domains;
};
+static NTSTATUS samsync_ldb_add_foreignSecurityPrincipal(TALLOC_CTX *mem_ctx,
+ struct samsync_ldb_state *state,
+ struct dom_sid *sid,
+ char **fsp_dn)
+{
+ const char *sidstr = dom_sid_string(mem_ctx, sid);
+ /* We assume that ForeignSecurityPrincipals are under the BASEDN of the main domain */
+ const char *basedn = samdb_search_string(state->sam_ldb, mem_ctx, state->base_dn[SAM_DATABASE_DOMAIN],
+ "dn",
+ "(&(objectClass=container)"
+ "(cn=ForeignSecurityPrincipals))");
+ struct ldb_message *msg;
+ int ret;
+
+ if (!sidstr) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (basedn == NULL) {
+ DEBUG(0, ("Failed to find DN for "
+ "ForeignSecurityPrincipal container\n"));
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ msg = ldb_msg_new(mem_ctx);
+ if (msg == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* add core elements to the ldb_message for the alias */
+ msg->dn = talloc_asprintf(mem_ctx, "CN=%s,%s", sidstr, basedn);
+ if (msg->dn == NULL)
+ return NT_STATUS_NO_MEMORY;
+
+ samdb_msg_add_string(state->sam_ldb, mem_ctx, msg,
+ "objectClass",
+ "foreignSecurityPrincipal");
+
+ *fsp_dn = msg->dn;
+
+ /* create the alias */
+ ret = samdb_add(state->sam_ldb, mem_ctx, msg);
+ if (ret != 0) {
+ DEBUG(0,("Failed to create foreignSecurityPrincipal "
+ "record %s: %s\n", msg->dn, ldb_errstring(state->sam_ldb)));
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+ return NT_STATUS_OK;
+}
+
static NTSTATUS samsync_ldb_handle_domain(TALLOC_CTX *mem_ctx,
struct samsync_ldb_state *state,
struct creds_CredentialState *creds,
@@ -178,6 +229,11 @@ static NTSTATUS samsync_ldb_handle_user(TALLOC_CTX *mem_ctx,
} else if (ret == 0) {
add = True;
} else if (ret > 1) {
+ DEBUG(0, ("More than one user with SID: %s\n",
+ dom_sid_string(mem_ctx,
+ dom_sid_add_rid(mem_ctx,
+ state->dom_sid[database],
+ rid))));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else {
msg->dn = talloc_steal(msg, msgs[0]->dn);
@@ -317,10 +373,16 @@ static NTSTATUS samsync_ldb_delete_user(TALLOC_CTX *mem_ctx,
ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid)));
if (ret == -1) {
+ DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
return NT_STATUS_NO_SUCH_USER;
} else if (ret > 1) {
+ DEBUG(0, ("More than one user with SID: %s\n",
+ dom_sid_string(mem_ctx,
+ dom_sid_add_rid(mem_ctx,
+ state->dom_sid[database],
+ rid))));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
@@ -361,10 +423,16 @@ static NTSTATUS samsync_ldb_handle_group(TALLOC_CTX *mem_ctx,
ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid)));
if (ret == -1) {
+ DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
add = True;
} else if (ret > 1) {
+ DEBUG(0, ("More than one group/alias with SID: %s\n",
+ dom_sid_string(mem_ctx,
+ dom_sid_add_rid(mem_ctx,
+ state->dom_sid[database],
+ rid))));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else {
msg->dn = talloc_steal(msg, msgs[0]->dn);
@@ -438,10 +506,16 @@ static NTSTATUS samsync_ldb_delete_group(TALLOC_CTX *mem_ctx,
ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid)));
if (ret == -1) {
+ DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
return NT_STATUS_NO_SUCH_GROUP;
} else if (ret > 1) {
+ DEBUG(0, ("More than one group/alias with SID: %s\n",
+ dom_sid_string(mem_ctx,
+ dom_sid_add_rid(mem_ctx,
+ state->dom_sid[database],
+ rid))));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
@@ -479,10 +553,16 @@ static NTSTATUS samsync_ldb_handle_group_member(TALLOC_CTX *mem_ctx,
ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid)));
if (ret == -1) {
+ DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
return NT_STATUS_NO_SUCH_GROUP;
} else if (ret > 1) {
+ DEBUG(0, ("More than one group/alias with SID: %s\n",
+ dom_sid_string(mem_ctx,
+ dom_sid_add_rid(mem_ctx,
+ state->dom_sid[database],
+ rid))));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else {
msg->dn = talloc_steal(msg, msgs[0]->dn);
@@ -497,6 +577,7 @@ static NTSTATUS samsync_ldb_handle_group_member(TALLOC_CTX *mem_ctx,
ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], group_member->rids[i])));
if (ret == -1) {
+ DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
return NT_STATUS_NO_SUCH_USER;
@@ -546,10 +627,16 @@ static NTSTATUS samsync_ldb_handle_alias(TALLOC_CTX *mem_ctx,
ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid)));
if (ret == -1) {
+ DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
add = True;
} else if (ret > 1) {
+ DEBUG(0, ("More than one group/alias with SID: %s\n",
+ dom_sid_string(mem_ctx,
+ dom_sid_add_rid(mem_ctx,
+ state->dom_sid[database],
+ rid))));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else {
msg->dn = talloc_steal(mem_ctx, msgs[0]->dn);
@@ -625,6 +712,7 @@ static NTSTATUS samsync_ldb_delete_alias(TALLOC_CTX *mem_ctx,
ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid)));
if (ret == -1) {
+ DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
return NT_STATUS_NO_SUCH_ALIAS;
@@ -666,10 +754,16 @@ static NTSTATUS samsync_ldb_handle_alias_member(TALLOC_CTX *mem_ctx,
ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid)));
if (ret == -1) {
+ DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
return NT_STATUS_NO_SUCH_GROUP;
} else if (ret > 1) {
+ DEBUG(0, ("More than one group/alias with SID: %s\n",
+ dom_sid_string(mem_ctx,
+ dom_sid_add_rid(mem_ctx,
+ state->dom_sid[database],
+ rid))));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else {
msg->dn = talloc_steal(msg, msgs[0]->dn);
@@ -678,20 +772,29 @@ static NTSTATUS samsync_ldb_handle_alias_member(TALLOC_CTX *mem_ctx,
talloc_free(msgs);
for (i=0; i<alias_member->sids.num_sids; i++) {
- /* search for the group, by rid */
- ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[database], &msgs, attrs,
+ char *alias_member_dn;
+ /* search for members, in the top basedn (normal users are builtin aliases) */
+ ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[SAM_DATABASE_DOMAIN], &msgs, attrs,
"(objectSid=%s)",
ldap_encode_ndr_dom_sid(mem_ctx, alias_member->sids.sids[i].sid));
if (ret == -1) {
+ DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
- return NT_STATUS_NO_SUCH_USER;
- } else if (ret > 1) {
+ NTSTATUS nt_status;
+ nt_status = samsync_ldb_add_foreignSecurityPrincipal(mem_ctx, state,
+ alias_member->sids.sids[i].sid,
+ &alias_member_dn);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+ } else if (ret > 1) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else {
- samdb_msg_add_string(state->sam_ldb, mem_ctx, msg, "member", msgs[0]->dn);
+ alias_member_dn = msgs[0]->dn;
}
+ samdb_msg_add_string(state->sam_ldb, mem_ctx, msg, "member", alias_member_dn);
talloc_free(msgs);
}
@@ -716,6 +819,7 @@ static NTSTATUS samsync_ldb_handle_account(TALLOC_CTX *mem_ctx,
struct ldb_message *msg;
struct ldb_message **msgs;
+ char *privilage_dn;
int ret;
const char *attrs[] = { NULL };
int i;
@@ -725,20 +829,32 @@ static NTSTATUS samsync_ldb_handle_account(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- /* search for the account, by sid */
- ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[database], &msgs, attrs,
+ /* search for the account, by sid, in the top basedn */
+ ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[SAM_DATABASE_DOMAIN], &msgs, attrs,
"(objectSid=%s)", ldap_encode_ndr_dom_sid(mem_ctx, sid));
if (ret == -1) {
+ DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
- return NT_STATUS_NO_SUCH_USER;
+ NTSTATUS nt_status;
+ nt_status = samsync_ldb_add_foreignSecurityPrincipal(mem_ctx, state,
+ sid,
+ &privilage_dn);
+ privilage_dn = talloc_steal(msg, privilage_dn);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
} else if (ret > 1) {
+ DEBUG(0, ("More than one account with SID: %s\n",
+ dom_sid_string(mem_ctx, sid)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else {
- msg->dn = talloc_steal(msg, msgs[0]->dn);
+ privilage_dn = talloc_steal(msg, msgs[0]->dn);
}
+ msg->dn = privilage_dn;
+
for (i=0; i< account->privilege_entries; i++) {
samdb_msg_add_string(state->sam_ldb, mem_ctx, msg, "privilage",
account->privilege_name[i].string);
@@ -771,16 +887,19 @@ static NTSTATUS samsync_ldb_delete_account(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- /* search for the account, by sid */
- ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[database], &msgs, attrs,
+ /* search for the account, by sid, in the top basedn */
+ ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[SAM_DATABASE_DOMAIN], &msgs, attrs,
"(objectSid=%s)",
ldap_encode_ndr_dom_sid(mem_ctx, sid));
if (ret == -1) {
+ DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
return NT_STATUS_NO_SUCH_USER;
} else if (ret > 1) {
+ DEBUG(0, ("More than one account with SID: %s\n",
+ dom_sid_string(mem_ctx, sid)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else {
msg->dn = talloc_steal(msg, msgs[0]->dn);
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 78973776f1..85f94712ba 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -220,6 +220,9 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
struct lsa_policy_state **_state)
{
struct lsa_policy_state *state;
+ const char *domain_attrs[] = {"nETBIOSName", "nCName", NULL};
+ int ret_domain;
+ struct ldb_message **msgs_domain;
state = talloc(mem_ctx, struct lsa_policy_state);
if (!state) {
@@ -237,36 +240,47 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
+ ret_domain = gendb_search(state->sam_ldb, mem_ctx, NULL, &msgs_domain, domain_attrs,
+ "(&(&(nETBIOSName=%s)(objectclass=crossRef))(ncName=*))",
+ lp_workgroup());
+
+ if (ret_domain == -1) {
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ if (ret_domain != 1) {
+ return NT_STATUS_NO_SUCH_DOMAIN;
+ }
+
/* work out the domain_dn - useful for so many calls its worth
fetching here */
- state->domain_dn = talloc_reference(state,
- samdb_search_string(state->sam_ldb, mem_ctx, NULL,
- "dn", "(&(objectClass=domain)(!(objectclass=builtinDomain)))"));
+ state->domain_dn = talloc_steal(state, samdb_result_string(msgs_domain[0], "nCName", NULL));
if (!state->domain_dn) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
/* work out the builtin_dn - useful for so many calls its worth
fetching here */
- state->builtin_dn = talloc_reference(state,
- samdb_search_string(state->sam_ldb, mem_ctx, NULL,
- "dn", "objectClass=builtinDomain"));
+ state->builtin_dn = talloc_steal(state,
+ samdb_search_string(state->sam_ldb, mem_ctx, NULL,
+ "dn", "objectClass=builtinDomain"));
if (!state->builtin_dn) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
/* work out the system_dn - useful for so many calls its worth
fetching here */
- state->system_dn = talloc_reference(state,
- samdb_search_string(state->sam_ldb, mem_ctx, state->domain_dn,
- "dn", "(&(objectClass=container)(cn=System))"));
+ state->system_dn = talloc_steal(state,
+ samdb_search_string(state->sam_ldb, mem_ctx, state->domain_dn,
+ "dn", "(&(objectClass=container)(cn=System))"));
if (!state->system_dn) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
- state->domain_sid = samdb_search_dom_sid(state->sam_ldb, state,
- state->domain_dn, "objectSid",
- "dn=%s", state->domain_dn);
+ state->domain_sid = talloc_steal(state,
+ samdb_search_dom_sid(state->sam_ldb, state,
+ state->domain_dn, "objectSid",
+ "dn=%s", state->domain_dn));
if (!state->domain_sid) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
@@ -276,13 +290,9 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
return NT_STATUS_NO_SUCH_DOMAIN;
}
- state->domain_name = talloc_reference(state,
- samdb_search_string(state->sam_ldb, mem_ctx,
- state->domain_dn, "name",
- "dn=%s", state->domain_dn));
- if (!state->domain_name) {
- return NT_STATUS_NO_SUCH_DOMAIN;
- }
+ state->domain_name = talloc_strdup(state,
+ samdb_result_string(msgs_domain[0], "nETBIOSName",
+ lp_workgroup()));
*_state = state;
@@ -619,14 +629,6 @@ static NTSTATUS lsa_CreateTrustedDomain(struct dcesrv_call_state *dce_call, TALL
samdb_msg_add_string(trusted_domain_state->policy->sam_ldb, mem_ctx, msg, "securityIdentifier", sid_string);
}
- /* pull in all the template attributes. */
- ret = samdb_copy_template(trusted_domain_state->policy->sam_ldb, mem_ctx, msg,
- "(&(name=TemplateTrustedDomain)(objectclass=trustedDomainTemplate))");
- if (ret != 0) {
- DEBUG(0,("Failed to load TemplateTrustedDomain from samdb\n"));
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
-
samdb_msg_add_string(trusted_domain_state->policy->sam_ldb, mem_ctx, msg, "objectClass", "trustedDomain");
trusted_domain_state->trusted_domain_dn = talloc_reference(trusted_domain_state, msg->dn);
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index 3cda88c04c..26593d1697 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -747,7 +747,7 @@ static NTSTATUS samr_CreateUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX
a_state->domain_state = talloc_reference(a_state, d_state);
a_state->account_dn = talloc_steal(a_state, msg->dn);
- /* retrieve the sid for the group just created */
+ /* retrieve the sid for the user just created */
sid = samdb_search_dom_sid(d_state->sam_ctx, a_state,
msg->dn, "objectSid", "dn=%s", msg->dn);
if (sid == NULL) {
@@ -907,7 +907,7 @@ static NTSTATUS samr_CreateDomAlias(struct dcesrv_call_state *dce_call, TALLOC_C
/* Check if alias already exists */
name = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL,
"sAMAccountName",
- "(&pAMAccountName=%s)(objectclass=group))",
+ "(sAMAccountName=%s)(objectclass=group))",
alias_name);
if (name != NULL) {
@@ -2040,17 +2040,6 @@ static NTSTATUS samr_AddAliasMember(struct dcesrv_call_state *dce_call, TALLOC_C
return NT_STATUS_NO_MEMORY;
}
- /* pull in all the template attributes */
- ret = samdb_copy_template(d_state->sam_ctx, mem_ctx, msg,
- "(&(name=TemplateForeignSecurityPrincipal)"
- "(objectclass=foreignSecurityPrincipalTemplate))");
- if (ret != 0) {
- DEBUG(0,("Failed to load "
- "TemplateForeignSecurityPrincipal "
- "from samdb\n"));
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
-
/* TODO: Hmmm. This feels wrong. How do I find the base dn to
* put the ForeignSecurityPrincipals? d_state->domain_dn does
* not work, this is wrong for the Builtin domain, there's no
@@ -2076,13 +2065,9 @@ static NTSTATUS samr_AddAliasMember(struct dcesrv_call_state *dce_call, TALLOC_C
memberdn = msg->dn;
samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg,
- "name", sidstr);
- samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg,
"objectClass",
"foreignSecurityPrincipal");
- samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg,
- "objectSid", sidstr);
-
+
/* create the alias */
ret = samdb_add(d_state->sam_ctx, mem_ctx, msg);
if (ret != 0) {
@@ -3256,7 +3241,7 @@ static NTSTATUS samr_GetDomPwInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX
struct ldb_message **msgs;
int ret;
const char * const attrs[] = {"minPwdLength", "pwdProperties", NULL };
- void *sam_ctx;
+ struct ldb_context *sam_ctx;
ZERO_STRUCT(r->out.info);
@@ -3267,8 +3252,7 @@ static NTSTATUS samr_GetDomPwInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX
ret = gendb_search(sam_ctx,
mem_ctx, NULL, &msgs, attrs,
- "(&(name=%s)(objectclass=domain))",
- lp_workgroup());
+ "(&(!(objectClass=builtinDomain))(objectclass=domain))");
if (ret <= 0) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
diff --git a/source4/scripting/libjs/provision.js b/source4/scripting/libjs/provision.js
index b6a7c5978b..0bcb2fa761 100644
--- a/source4/scripting/libjs/provision.js
+++ b/source4/scripting/libjs/provision.js
@@ -56,19 +56,10 @@ function add_foreign(str, sid, desc, unixname)
dn: CN=${SID},CN=ForeignSecurityPrincipals,${BASEDN}
objectClass: top
objectClass: foreignSecurityPrincipal
-cn: ${SID}
description: ${DESC}
-instanceType: 4
-whenCreated: ${LDAPTIME}
-whenChanged: ${LDAPTIME}
+unixName: ${UNIXNAME}
uSNCreated: 1
uSNChanged: 1
-showInAdvancedViewOnly: TRUE
-name: ${SID}
-objectGUID: ${NEWGUID}
-objectSid: ${SID}
-objectCategory: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,${BASEDN}
-unixName: ${UNIXNAME}
";
var sub = new Object();
sub.SID = sid;
@@ -212,7 +203,7 @@ function setup_file(template, fname, subobj)
/*
provision samba4 - caution, this wipes all existing data!
*/
-function provision(subobj, message)
+function provision(subobj, message, blank)
{
var data = "";
var lp = loadparm_init();
@@ -249,7 +240,11 @@ function provision(subobj, message)
message("Setting up sam.ldb templates\n");
setup_ldb("provision_templates.ldif", "sam.ldb", subobj, NULL, false);
message("Setting up sam.ldb data\n");
- setup_ldb("provision.ldif", "sam.ldb", subobj, data, false);
+ setup_ldb("provision.ldif", "sam.ldb", subobj, NULL, false);
+ if (blank == false) {
+ message("Setting up sam.ldb users and groups\n");
+ setup_ldb("provision_users.ldif", "sam.ldb", subobj, data, false);
+ }
message("Setting up rootdse.ldb\n");
setup_ldb("rootdse.ldif", "rootdse.ldb", subobj);
message("Setting up secrets.ldb\n");
diff --git a/source4/setup/provision b/source4/setup/provision
index 90363fcf20..dc542f59f0 100755
--- a/source4/setup/provision
+++ b/source4/setup/provision
@@ -27,7 +27,8 @@ ok = GetOptions(ARGV, options,
'nogroup=s',
'wheel=s',
'users=s',
- 'quiet');
+ 'quiet',
+ 'blank');
if (ok == false) {
println("Failed to parse options: " + options.ERROR);
return -1;
@@ -72,6 +73,7 @@ provision [options]
--wheel GROUPNAME choose 'wheel' privileged group
--users GROUPNAME choose 'users' group
--quiet Be quiet
+ --blank do not add users or groups, just the structure
You must provide at least a realm and domain
@@ -106,6 +108,6 @@ for (r in options) {
message("Provisioning for %s in realm %s\n", subobj.DOMAIN, subobj.REALM);
message("Using administrator password: %s\n", subobj.ADMINPASS);
-provision(subobj, message);
+provision(subobj, message, options["blank"] != undefined);
message("All OK\n");
return 0;
diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif
index 01dbc6366a..b2d0848946 100644
--- a/source4/setup/provision.ldif
+++ b/source4/setup/provision.ldif
@@ -23,6 +23,7 @@ nextRid: 1001
pwdProperties: 1
pwdHistoryLength: 24
objectSid: ${DOMAINSID}
+oEMInformation: Provisioned by Samba4: ${LDAPTIME}
serverState: 1
nTMixedDomain: 1
msDS-Behavior-Version: 0
@@ -172,464 +173,6 @@ modifiedCount: 1
objectCategory: CN=Builtin-Domain,CN=Schema,CN=Configuration,${BASEDN}
isCriticalSystemObject: TRUE
-dn: CN=Administrator,CN=Users,${BASEDN}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: user
-cn: Administrator
-description: Built-in account for administering the computer/domain
-uSNCreated: 1
-memberOf: CN=Group Policy Creator Owners,CN=Users,${BASEDN}
-memberOf: CN=Domain Admins,CN=Users,${BASEDN}
-memberOf: CN=Enterprise Admins,CN=Users,${BASEDN}
-memberOf: CN=Schema Admins,CN=Users,${BASEDN}
-memberOf: CN=Administrators,CN=Builtin,${BASEDN}
-uSNChanged: 1
-userAccountControl: 0x10200
-objectSid: ${DOMAINSID}-500
-adminCount: 1
-accountExpires: -1
-sAMAccountName: Administrator
-isCriticalSystemObject: TRUE
-unicodePwd: ${ADMINPASS}
-unixName: ${ROOT}
-
-dn: CN=Guest,CN=Users,${BASEDN}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: user
-cn: Guest
-description: Built-in account for guest access to the computer/domain
-uSNCreated: 1
-memberOf: CN=Guests,CN=Builtin,${BASEDN}
-uSNChanged: 1
-userAccountControl: 0x10222
-primaryGroupID: 514
-objectSid: ${DOMAINSID}-501
-sAMAccountName: Guest
-isCriticalSystemObject: TRUE
-
-dn: CN=Administrators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Administrators
-description: Administrators have complete and unrestricted access to the computer/domain
-member: CN=Domain Admins,CN=Users,${BASEDN}
-member: CN=Enterprise Admins,CN=Users,${BASEDN}
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-544
-adminCount: 1
-sAMAccountName: Administrators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
-privilege: SeSecurityPrivilege
-privilege: SeBackupPrivilege
-privilege: SeRestorePrivilege
-privilege: SeSystemtimePrivilege
-privilege: SeShutdownPrivilege
-privilege: SeRemoteShutdownPrivilege
-privilege: SeTakeOwnershipPrivilege
-privilege: SeDebugPrivilege
-privilege: SeSystemEnvironmentPrivilege
-privilege: SeSystemProfilePrivilege
-privilege: SeProfileSingleProcessPrivilege
-privilege: SeIncreaseBasePriorityPrivilege
-privilege: SeLoadDriverPrivilege
-privilege: SeCreatePagefilePrivilege
-privilege: SeIncreaseQuotaPrivilege
-privilege: SeChangeNotifyPrivilege
-privilege: SeUndockPrivilege
-privilege: SeManageVolumePrivilege
-privilege: SeImpersonatePrivilege
-privilege: SeCreateGlobalPrivilege
-privilege: SeEnableDelegationPrivilege
-privilege: SeInteractiveLogonRight
-privilege: SeNetworkLogonRight
-privilege: SeRemoteInteractiveLogonRight
-
-
-dn: CN=Users,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Users
-description: Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications
-member: CN=Domain Users,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-545
-sAMAccountName: Users
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Guests,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Guests
-description: Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
-member: CN=Domain Guests,CN=Users,${BASEDN}
-member: CN=Guest,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-546
-sAMAccountName: Guests
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-unixName: ${NOGROUP}
-
-dn: CN=Print Operators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Print Operators
-description: Members can administer domain printers
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-550
-adminCount: 1
-sAMAccountName: Print Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-privilege: SeLoadDriverPrivilege
-privilege: SeShutdownPrivilege
-privilege: SeInteractiveLogonRight
-
-dn: CN=Backup Operators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Backup Operators
-description: Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-551
-adminCount: 1
-sAMAccountName: Backup Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-privilege: SeBackupPrivilege
-privilege: SeRestorePrivilege
-privilege: SeShutdownPrivilege
-privilege: SeInteractiveLogonRight
-
-dn: CN=Replicator,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Replicator
-description: Supports file replication in a domain
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-552
-adminCount: 1
-sAMAccountName: Replicator
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Remote Desktop Users,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Remote Desktop Users
-description: Members in this group are granted the right to logon remotely
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-555
-sAMAccountName: Remote Desktop Users
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Network Configuration Operators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Network Configuration Operators
-description: Members in this group can have some administrative privileges to manage configuration of networking features
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-556
-sAMAccountName: Network Configuration Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Performance Monitor Users,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Performance Monitor Users
-description: Members of this group have remote access to monitor this computer
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-558
-sAMAccountName: Performance Monitor Users
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Performance Log Users,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Performance Log Users
-description: Members of this group have remote access to schedule logging of performance counters on this computer
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-559
-sAMAccountName: Performance Log Users
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=${NETBIOSNAME},OU=Domain Controllers,${BASEDN}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: computer
-cn: ${NETBIOSNAME}
-uSNCreated: 1
-uSNChanged: 1
-objectGUID: ${HOSTGUID}
-userAccountControl: 532480
-lastLogon: 127273269057298624
-localPolicyFlags: 0
-pwdLastSet: 127258826171655328
-primaryGroupID: 516
-objectSid: ${DOMAINSID}-1000
-accountExpires: 9223372036854775807
-sAMAccountName: ${NETBIOSNAME}$
-sAMAccountType: 805306369
-operatingSystem: Samba
-operatingSystemVersion: 4.0
-dNSHostName: ${DNSNAME}
-isCriticalSystemObject: TRUE
-unicodePwd: ${MACHINEPASS}
-servicePrincipalName: HOST/${DNSNAME}
-servicePrincipalName: HOST/${NETBIOSNAME}
-msDS-KeyVersionNumber: 1
-
-dn: CN=krbtgt,CN=Users,${BASEDN}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: user
-cn: krbtgt
-description: Key Distribution Center Service Account
-uSNCreated: 1
-uSNChanged: 1
-showInAdvancedViewOnly: TRUE
-userAccountControl: 514
-pwdLastSet: 127258826179466560
-objectSid: ${DOMAINSID}-502
-adminCount: 1
-accountExpires: 9223372036854775807
-sAMAccountName: krbtgt
-sAMAccountType: 805306368
-servicePrincipalName: kadmin/changepw
-isCriticalSystemObject: TRUE
-unicodePwd: ${KRBTGTPASS}
-
-dn: CN=Domain Computers,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Domain Computers
-description: All workstations and servers joined to the domain
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-515
-sAMAccountName: Domain Computers
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Domain Controllers,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Domain Controllers
-description: All domain controllers in the domain
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-516
-adminCount: 1
-sAMAccountName: Domain Controllers
-isCriticalSystemObject: TRUE
-
-dn: CN=Schema Admins,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Schema Admins
-description: Designated administrators of the schema
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-518
-adminCount: 1
-sAMAccountName: Schema Admins
-isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
-
-dn: CN=Enterprise Admins,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Enterprise Admins
-description: Designated administrators of the enterprise
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-memberOf: CN=Administrators,CN=Builtin,${BASEDN}
-uSNChanged: 1
-objectSid: ${DOMAINSID}-519
-adminCount: 1
-sAMAccountName: Enterprise Admins
-isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
-
-dn: CN=Cert Publishers,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Cert Publishers
-description: Members of this group are permitted to publish certificates to the Active Directory
-uSNCreated: 1
-uSNChanged: 1
-groupType: 0x80000004
-sAMAccountType: 0x20000000
-objectSid: ${DOMAINSID}-517
-sAMAccountName: Cert Publishers
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Domain Admins,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Domain Admins
-description: Designated administrators of the domain
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-memberOf: CN=Administrators,CN=Builtin,${BASEDN}
-uSNChanged: 1
-objectSid: ${DOMAINSID}-512
-adminCount: 1
-sAMAccountName: Domain Admins
-isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
-
-dn: CN=Domain Users,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Domain Users
-description: All domain users
-uSNCreated: 1
-memberOf: CN=Users,CN=Builtin,${BASEDN}
-uSNChanged: 1
-objectSid: ${DOMAINSID}-513
-sAMAccountName: Domain Users
-isCriticalSystemObject: TRUE
-unixName: ${USERS}
-
-dn: CN=Domain Guests,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Domain Guests
-description: All domain guests
-uSNCreated: 1
-memberOf: CN=Guests,CN=Builtin,${BASEDN}
-uSNChanged: 1
-objectSid: ${DOMAINSID}-514
-sAMAccountName: Domain Guests
-isCriticalSystemObject: TRUE
-
-dn: CN=Group Policy Creator Owners,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Group Policy Creator Owners
-description: Members in this group can modify group policy for the domain
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-520
-sAMAccountName: Group Policy Creator Owners
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
-
-dn: CN=RAS and IAS Servers,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: RAS and IAS Servers
-description: Servers in this group can access remote access properties of users
-instanceType: 4
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-553
-sAMAccountName: RAS and IAS Servers
-sAMAccountType: 0x20000000
-groupType: 0x80000004
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Server Operators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Server Operators
-description: Members can administer domain servers
-instanceType: 4
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-549
-adminCount: 1
-sAMAccountName: Server Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-privilege: SeBackupPrivilege
-privilege: SeSystemtimePrivilege
-privilege: SeRemoteShutdownPrivilege
-privilege: SeRestorePrivilege
-privilege: SeShutdownPrivilege
-privilege: SeInteractiveLogonRight
-
-dn: CN=Account Operators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Account Operators
-description: Members can administer domain user and group accounts
-instanceType: 4
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-548
-adminCount: 1
-sAMAccountName: Account Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-privilege: SeInteractiveLogonRight
-
###############################
# Configuration Naming Context
###############################
diff --git a/source4/setup/provision_templates.ldif b/source4/setup/provision_templates.ldif
index 9a045d2afc..3693f46558 100644
--- a/source4/setup/provision_templates.ldif
+++ b/source4/setup/provision_templates.ldif
@@ -121,6 +121,9 @@ objectClass: top
objectClass: Template
objectClass: foreignSecurityPrincipalTemplate
cn: TemplateForeignSecurityPrincipal
+instanceType: 4
+showInAdvancedViewOnly: TRUE
+objectCategory: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,${BASEDN}
dn: CN=TemplateSecret,CN=Templates,${BASEDN}
objectClass: top
diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif
new file mode 100644
index 0000000000..2e420b226a
--- /dev/null
+++ b/source4/setup/provision_users.ldif
@@ -0,0 +1,459 @@
+dn: CN=Administrator,CN=Users,${BASEDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+cn: Administrator
+description: Built-in account for administering the computer/domain
+uSNCreated: 1
+memberOf: CN=Group Policy Creator Owners,CN=Users,${BASEDN}
+memberOf: CN=Domain Admins,CN=Users,${BASEDN}
+memberOf: CN=Enterprise Admins,CN=Users,${BASEDN}
+memberOf: CN=Schema Admins,CN=Users,${BASEDN}
+memberOf: CN=Administrators,CN=Builtin,${BASEDN}
+uSNChanged: 1
+userAccountControl: 0x10200
+objectSid: ${DOMAINSID}-500
+adminCount: 1
+accountExpires: -1
+sAMAccountName: Administrator
+isCriticalSystemObject: TRUE
+unicodePwd: ${ADMINPASS}
+unixName: ${ROOT}
+
+dn: CN=Guest,CN=Users,${BASEDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+cn: Guest
+description: Built-in account for guest access to the computer/domain
+uSNCreated: 1
+memberOf: CN=Guests,CN=Builtin,${BASEDN}
+uSNChanged: 1
+userAccountControl: 0x10222
+primaryGroupID: 514
+objectSid: ${DOMAINSID}-501
+sAMAccountName: Guest
+isCriticalSystemObject: TRUE
+
+dn: CN=Administrators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Administrators
+description: Administrators have complete and unrestricted access to the computer/domain
+member: CN=Domain Admins,CN=Users,${BASEDN}
+member: CN=Enterprise Admins,CN=Users,${BASEDN}
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-544
+adminCount: 1
+sAMAccountName: Administrators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+privilege: SeSecurityPrivilege
+privilege: SeBackupPrivilege
+privilege: SeRestorePrivilege
+privilege: SeSystemtimePrivilege
+privilege: SeShutdownPrivilege
+privilege: SeRemoteShutdownPrivilege
+privilege: SeTakeOwnershipPrivilege
+privilege: SeDebugPrivilege
+privilege: SeSystemEnvironmentPrivilege
+privilege: SeSystemProfilePrivilege
+privilege: SeProfileSingleProcessPrivilege
+privilege: SeIncreaseBasePriorityPrivilege
+privilege: SeLoadDriverPrivilege
+privilege: SeCreatePagefilePrivilege
+privilege: SeIncreaseQuotaPrivilege
+privilege: SeChangeNotifyPrivilege
+privilege: SeUndockPrivilege
+privilege: SeManageVolumePrivilege
+privilege: SeImpersonatePrivilege
+privilege: SeCreateGlobalPrivilege
+privilege: SeEnableDelegationPrivilege
+privilege: SeInteractiveLogonRight
+privilege: SeNetworkLogonRight
+privilege: SeRemoteInteractiveLogonRight
+
+
+dn: CN=${NETBIOSNAME},OU=Domain Controllers,${BASEDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: computer
+cn: ${NETBIOSNAME}
+uSNCreated: 1
+uSNChanged: 1
+objectGUID: ${HOSTGUID}
+userAccountControl: 532480
+lastLogon: 127273269057298624
+localPolicyFlags: 0
+pwdLastSet: 127258826171655328
+primaryGroupID: 516
+objectSid: ${DOMAINSID}-1000
+accountExpires: 9223372036854775807
+sAMAccountName: ${NETBIOSNAME}$
+sAMAccountType: 805306369
+operatingSystem: Samba
+operatingSystemVersion: 4.0
+dNSHostName: ${DNSNAME}
+isCriticalSystemObject: TRUE
+unicodePwd: ${MACHINEPASS}
+servicePrincipalName: HOST/${DNSNAME}
+servicePrincipalName: HOST/${NETBIOSNAME}
+msDS-KeyVersionNumber: 1
+
+
+dn: CN=Users,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Users
+description: Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications
+member: CN=Domain Users,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-545
+sAMAccountName: Users
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Guests,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Guests
+description: Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
+member: CN=Domain Guests,CN=Users,${BASEDN}
+member: CN=Guest,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-546
+sAMAccountName: Guests
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+unixName: ${NOGROUP}
+
+dn: CN=Print Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Print Operators
+description: Members can administer domain printers
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-550
+adminCount: 1
+sAMAccountName: Print Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+privilege: SeLoadDriverPrivilege
+privilege: SeShutdownPrivilege
+privilege: SeInteractiveLogonRight
+
+dn: CN=Backup Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Backup Operators
+description: Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-551
+adminCount: 1
+sAMAccountName: Backup Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+privilege: SeBackupPrivilege
+privilege: SeRestorePrivilege
+privilege: SeShutdownPrivilege
+privilege: SeInteractiveLogonRight
+
+dn: CN=Replicator,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Replicator
+description: Supports file replication in a domain
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-552
+adminCount: 1
+sAMAccountName: Replicator
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Remote Desktop Users,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Remote Desktop Users
+description: Members in this group are granted the right to logon remotely
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-555
+sAMAccountName: Remote Desktop Users
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Network Configuration Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Network Configuration Operators
+description: Members in this group can have some administrative privileges to manage configuration of networking features
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-556
+sAMAccountName: Network Configuration Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Performance Monitor Users,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Performance Monitor Users
+description: Members of this group have remote access to monitor this computer
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-558
+sAMAccountName: Performance Monitor Users
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Performance Log Users,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Performance Log Users
+description: Members of this group have remote access to schedule logging of performance counters on this computer
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-559
+sAMAccountName: Performance Log Users
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=krbtgt,CN=Users,${BASEDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+cn: krbtgt
+description: Key Distribution Center Service Account
+uSNCreated: 1
+uSNChanged: 1
+showInAdvancedViewOnly: TRUE
+userAccountControl: 514
+pwdLastSet: 127258826179466560
+objectSid: ${DOMAINSID}-502
+adminCount: 1
+accountExpires: 9223372036854775807
+sAMAccountName: krbtgt
+sAMAccountType: 805306368
+servicePrincipalName: kadmin/changepw
+isCriticalSystemObject: TRUE
+unicodePwd: ${KRBTGTPASS}
+
+dn: CN=Domain Computers,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Computers
+description: All workstations and servers joined to the domain
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-515
+sAMAccountName: Domain Computers
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Domain Controllers,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Controllers
+description: All domain controllers in the domain
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-516
+adminCount: 1
+sAMAccountName: Domain Controllers
+isCriticalSystemObject: TRUE
+
+dn: CN=Schema Admins,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Schema Admins
+description: Designated administrators of the schema
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-518
+adminCount: 1
+sAMAccountName: Schema Admins
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+
+dn: CN=Enterprise Admins,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Enterprise Admins
+description: Designated administrators of the enterprise
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+memberOf: CN=Administrators,CN=Builtin,${BASEDN}
+uSNChanged: 1
+objectSid: ${DOMAINSID}-519
+adminCount: 1
+sAMAccountName: Enterprise Admins
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+
+dn: CN=Cert Publishers,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Cert Publishers
+description: Members of this group are permitted to publish certificates to the Active Directory
+uSNCreated: 1
+uSNChanged: 1
+groupType: 0x80000004
+sAMAccountType: 0x20000000
+objectSid: ${DOMAINSID}-517
+sAMAccountName: Cert Publishers
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Domain Admins,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Admins
+description: Designated administrators of the domain
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+memberOf: CN=Administrators,CN=Builtin,${BASEDN}
+uSNChanged: 1
+objectSid: ${DOMAINSID}-512
+adminCount: 1
+sAMAccountName: Domain Admins
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+
+dn: CN=Domain Users,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Users
+description: All domain users
+uSNCreated: 1
+memberOf: CN=Users,CN=Builtin,${BASEDN}
+uSNChanged: 1
+objectSid: ${DOMAINSID}-513
+sAMAccountName: Domain Users
+isCriticalSystemObject: TRUE
+unixName: ${USERS}
+
+dn: CN=Domain Guests,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Guests
+description: All domain guests
+uSNCreated: 1
+memberOf: CN=Guests,CN=Builtin,${BASEDN}
+uSNChanged: 1
+objectSid: ${DOMAINSID}-514
+sAMAccountName: Domain Guests
+isCriticalSystemObject: TRUE
+
+dn: CN=Group Policy Creator Owners,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Group Policy Creator Owners
+description: Members in this group can modify group policy for the domain
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-520
+sAMAccountName: Group Policy Creator Owners
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+
+dn: CN=RAS and IAS Servers,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: RAS and IAS Servers
+description: Servers in this group can access remote access properties of users
+instanceType: 4
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-553
+sAMAccountName: RAS and IAS Servers
+sAMAccountType: 0x20000000
+groupType: 0x80000004
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Server Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Server Operators
+description: Members can administer domain servers
+instanceType: 4
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-549
+adminCount: 1
+sAMAccountName: Server Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+privilege: SeBackupPrivilege
+privilege: SeSystemtimePrivilege
+privilege: SeRemoteShutdownPrivilege
+privilege: SeRestorePrivilege
+privilege: SeShutdownPrivilege
+privilege: SeInteractiveLogonRight
+
+dn: CN=Account Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Account Operators
+description: Members can administer domain user and group accounts
+instanceType: 4
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-548
+adminCount: 1
+sAMAccountName: Account Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+privilege: SeInteractiveLogonRight
+