From 2fc5331e5c23e3f448b53fa7838e478772d0caed Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Fri, 10 Jul 2009 12:48:18 +0200 Subject: [SAMBA 4 directory] Refactoring and clean up of directory structure - Adds more system objects which make sense to have them in SAMBA 4 also to have them when we add more and more services related to the directory (volume support, DFS, replication service, COM...) - Make sure that "isCriticalSystemObject" and "showInAdvancedViewOnly" attributes are set correctly on each object --- source4/setup/provision.ldif | 184 ++++++++++++++++++++------ source4/setup/provision_basedn_modify.ldif | 6 +- source4/setup/provision_computers_modify.ldif | 6 +- source4/setup/provision_configuration.ldif | 1 + source4/setup/provision_group_policy.ldif | 11 -- source4/setup/provision_self_join.ldif | 5 +- source4/setup/provision_users.ldif | 26 ++-- source4/setup/provision_users_modify.ldif | 6 +- source4/setup/schema_samba4.ldif | 3 - 9 files changed, 167 insertions(+), 81 deletions(-) diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif index e5b20d03e1..9f50b45dff 100644 --- a/source4/setup/provision.ldif +++ b/source4/setup/provision.ldif @@ -1,7 +1,28 @@ +dn: CN=Builtin,${DOMAINDN} +objectClass: top +objectClass: builtinDomain +forceLogoff: -9223372036854775808 +lockoutDuration: -18000000000 +lockOutObservationWindow: -18000000000 +lockoutThreshold: 0 +maxPwdAge: -37108517437440 +minPwdAge: 0 +minPwdLength: 0 +modifiedCountAtLastProm: 0 +nextRid: 1000 +pwdProperties: 0 +pwdHistoryLength: 0 +objectSid: S-1-5-32 +serverState: 1 +uASCompat: 1 +modifiedCount: 1 +systemFlags: -1946157056 +isCriticalSystemObject: TRUE +showInAdvancedViewOnly: FALSE + dn: OU=Domain Controllers,${DOMAINDN} objectClass: top objectClass: organizationalUnit -cn: Domain Controllers description: Default container for domain controllers systemFlags: -1946157056 isCriticalSystemObject: TRUE @@ -10,82 +31,171 @@ showInAdvancedViewOnly: FALSE dn: CN=ForeignSecurityPrincipals,${DOMAINDN} objectClass: top objectClass: container -cn: ForeignSecurityPrincipals description: Default container for security identifiers (SIDs) associated with objects from external, trusted domains systemFlags: -1946157056 isCriticalSystemObject: TRUE showInAdvancedViewOnly: FALSE +dn: CN=Infrastructure,${DOMAINDN} +objectClass: top +objectClass: infrastructureUpdate +systemFlags: -1946157056 +fSMORoleOwner: CN=NTDS Settings,${SERVERDN} +isCriticalSystemObject: TRUE + +dn: CN=LostAndFound,${DOMAINDN} +objectClass: top +objectClass: lostAndFound +description: Default container for orphaned objects +systemFlags: -1946157056 +isCriticalSystemObject: TRUE + +dn: CN=NTDS Quotas,${DOMAINDN} +objectClass: top +objectClass: msDS-QuotaContainer +description: Quota specifications container +msDS-TombstoneQuotaFactor: 100 +systemFlags: -1946157056 +isCriticalSystemObject: TRUE + +dn: CN=Program Data,${DOMAINDN} +objectClass: top +objectClass: container +description: Default location for storage of application data. + +dn: CN=Microsoft,CN=Program Data,${DOMAINDN} +objectClass: top +objectClass: container +description: Default location for storage of Microsoft application data. + dn: CN=System,${DOMAINDN} objectClass: top objectClass: container -cn: System description: Builtin system settings systemFlags: -1946157056 isCriticalSystemObject: TRUE -dn: CN=RID Manager$,CN=System,${DOMAINDN} -objectclass: top -objectclass: rIDManager -cn: RID Manager$ +dn: CN=AdminSDHolder,CN=System,${DOMAINDN} +objectClass: top +objectClass: container systemFlags: -1946157056 isCriticalSystemObject: TRUE -fSMORoleOwner: CN=NTDS Settings,${SERVERDN} -rIDAvailablePool: 4611686014132423217 + +dn: CN=ComPartitions,CN=System,${DOMAINDN} +objectClass: top +objectClass: container +systemFlags: -1946157056 +isCriticalSystemObject: TRUE + +dn: CN=ComPartitionSets,CN=System,${DOMAINDN} +objectClass: top +objectClass: container +systemFlags: -1946157056 +isCriticalSystemObject: TRUE + +dn: CN=Default Domain Policy,CN=System,${DOMAINDN} +objectClass: top +objectClass: leaf +objectClass: domainPolicy +isCriticalSystemObject: TRUE + +dn: CN=AppCategories,CN=Default Domain Policy,CN=System,${DOMAINDN} +objectClass: top +objectClass: classStore +isCriticalSystemObject: TRUE + +dn: CN=Dfs-Configuration,CN=System,${DOMAINDN} +objectClass: top +objectClass: dfsConfiguration +isCriticalSystemObject: TRUE +showInAdvancedViewOnly: FALSE dn: CN=DomainUpdates,CN=System,${DOMAINDN} objectClass: top objectClass: container -cn: DomainUpdates + +dn: CN=Operations,CN=DomainUpdates,CN=System,${DOMAINDN} +objectClass: top +objectClass: container dn: CN=Windows2003Update,CN=DomainUpdates,CN=System,${DOMAINDN} objectClass: top objectClass: container -cn: Windows2003Update revision: 8 -dn: CN=Infrastructure,${DOMAINDN} -objectclass: top -objectclass: infrastructureUpdate -cn: Infrastructure +dn: CN=File Replication Service,CN=System,${DOMAINDN} +objectClass: top +objectClass: applicationSettings +objectClass: nTFRSSettings systemFlags: -1946157056 isCriticalSystemObject: TRUE -fSMORoleOwner: CN=NTDS Settings,${SERVERDN} -dn: CN=Builtin,${DOMAINDN} +dn: CN=FileLinks,CN=System,${DOMAINDN} objectClass: top -objectClass: builtinDomain -cn: Builtin -forceLogoff: -9223372036854775808 -lockoutDuration: -18000000000 -lockOutObservationWindow: -18000000000 -lockoutThreshold: 0 -maxPwdAge: -37108517437440 -minPwdAge: 0 -minPwdLength: 0 -modifiedCountAtLastProm: 0 -nextRid: 1000 -pwdProperties: 0 -pwdHistoryLength: 0 -objectSid: S-1-5-32 -serverState: 1 -uASCompat: 1 -modifiedCount: 1 +objectClass: fileLinkTracking +systemFlags: -1946157056 isCriticalSystemObject: TRUE -showInAdvancedViewOnly: FALSE + +dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,${DOMAINDN} +objectClass: top +objectClass: fileLinkTracking +objectClass: linkTrackObjectMoveTable +systemFlags: -1946157056 +isCriticalSystemObject: TRUE + +dn: CN=VolumeTable,CN=FileLinks,CN=System,${DOMAINDN} +objectClass: top +objectClass: fileLinkTracking +objectClass: linkTrackVolumeTable systemFlags: -1946157056 +isCriticalSystemObject: TRUE + +dn: CN=IP Security,CN=System,${DOMAINDN} +objectClass: top +objectClass: container +isCriticalSystemObject: TRUE + +dn: CN=Meetings,CN=System,${DOMAINDN} +objectClass: top +objectClass: container +isCriticalSystemObject: TRUE dn: CN=Policies,CN=System,${DOMAINDN} objectClass: top objectClass: container systemFlags: -1946157056 +isCriticalSystemObject: TRUE -dn: CN=IP Security,CN=System,${DOMAINDN} +dn: CN=RAS and IAS Servers Access Check,CN=System,${DOMAINDN} objectClass: top objectClass: container +systemFlags: -1946157056 +isCriticalSystemObject: TRUE -dn: CN=ComPartitionSets,CN=System,${DOMAINDN} +dn: CN=RID Manager$,CN=System,${DOMAINDN} +objectClass: top +objectClass: rIDManager +systemFlags: -1946157056 +fSMORoleOwner: CN=NTDS Settings,${SERVERDN} +rIDAvailablePool: 4611686014132423217 +isCriticalSystemObject: TRUE + +dn: CN=RpcServices,CN=System,${DOMAINDN} objectClass: top objectClass: container +objectClass: rpcContainer systemFlags: -1946157056 +isCriticalSystemObject: TRUE + +dn: CN=Server,CN=System,${DOMAINDN} +objectClass: top +objectClass: securityObject +objectClass: samServer +systemFlags: -1946157056 +revision: 65543 +isCriticalSystemObject: TRUE +dn: CN=WinsockServices,CN=System,${DOMAINDN} +objectClass: top +objectClass: container +isCriticalSystemObject: TRUE diff --git a/source4/setup/provision_basedn_modify.ldif b/source4/setup/provision_basedn_modify.ldif index 36e80ec69c..29ba75be98 100644 --- a/source4/setup/provision_basedn_modify.ldif +++ b/source4/setup/provision_basedn_modify.ldif @@ -67,9 +67,6 @@ fSMORoleOwner: CN=NTDS Settings,${SERVERDN} replace: systemFlags systemFlags: -1946157056 - -replace: isCriticalSystemObject -isCriticalSystemObject: TRUE -- replace: subRefs subRefs: ${CONFIGDN} - @@ -84,4 +81,7 @@ wellKnownObjects: B:32:a361b2ffffd211d1aa4b00c04fd7d83a:OU=Domain Controllers,${ wellKnownObjects: B:32:aa312825768811d1aded00c04fd8d5cd:CN=Computers,${DOMAINDN} wellKnownObjects: B:32:a9d1ca15768811d1aded00c04fd8d5cd:CN=Users,${DOMAINDN} - +replace: isCriticalSystemObject +isCriticalSystemObject: TRUE +- ${DOMAINGUID_MOD} diff --git a/source4/setup/provision_computers_modify.ldif b/source4/setup/provision_computers_modify.ldif index 110c44c356..b3d9dc1fa8 100644 --- a/source4/setup/provision_computers_modify.ldif +++ b/source4/setup/provision_computers_modify.ldif @@ -3,11 +3,11 @@ changetype: modify replace: description description: Default container for upgraded computer accounts - -replace: showInAdvancedViewOnly -showInAdvancedViewOnly: FALSE -- replace: systemFlags systemFlags: -1946157056 - replace: isCriticalSystemObject isCriticalSystemObject: TRUE +- +replace: showInAdvancedViewOnly +showInAdvancedViewOnly: FALSE diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif index 0dad24c705..4109c2236c 100644 --- a/source4/setup/provision_configuration.ldif +++ b/source4/setup/provision_configuration.ldif @@ -8,6 +8,7 @@ cn: Partitions systemFlags: -2147483648 msDS-Behavior-Version: ${FOREST_FUNCTIONALALITY} fSMORoleOwner: CN=NTDS Settings,${SERVERDN} +showInAdvancedViewOnly: TRUE dn: CN=Enterprise Configuration,CN=Partitions,${CONFIGDN} objectClass: top diff --git a/source4/setup/provision_group_policy.ldif b/source4/setup/provision_group_policy.ldif index d6a4659250..65ab1eaf5f 100644 --- a/source4/setup/provision_group_policy.ldif +++ b/source4/setup/provision_group_policy.ldif @@ -1,14 +1,3 @@ -dn: CN=Default Domain Policy,CN=System,${DOMAINDN} -objectClass: top -objectClass: leaf -objectClass: domainPolicy -isCriticalSystemObject: TRUE - -dn: CN=AppCategories,CN=Default Domain Policy,CN=System,${DOMAINDN} -objectClass: top -objectClass: classStore -isCriticalSystemObject: TRUE - dn: CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN} objectClass: top objectClass: container diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif index b60fea6576..da8c5b9e1d 100644 --- a/source4/setup/provision_self_join.ldif +++ b/source4/setup/provision_self_join.ldif @@ -15,7 +15,6 @@ sAMAccountName: ${NETBIOSNAME}$ operatingSystem: Samba operatingSystemVersion: ${SAMBA_VERSION_STRING} dNSHostName: ${DNSNAME} -isCriticalSystemObject: TRUE userPassword:: ${MACHINEPASS_B64} servicePrincipalName: HOST/${DNSNAME} servicePrincipalName: HOST/${NETBIOSNAME} @@ -23,6 +22,7 @@ servicePrincipalName: HOST/${DNSNAME}/${REALM} servicePrincipalName: HOST/${NETBIOSNAME}/${REALM} servicePrincipalName: HOST/${DNSNAME}/${DOMAIN} servicePrincipalName: HOST/${NETBIOSNAME}/${DOMAIN} +isCriticalSystemObject: TRUE #Provide a account for DNS keytab export dn: CN=dns,CN=Users,${DOMAINDN} @@ -36,9 +36,8 @@ userAccountControl: 514 accountExpires: 9223372036854775807 sAMAccountName: dns servicePrincipalName: DNS/${DNSDOMAIN} -isCriticalSystemObject: TRUE userPassword:: ${DNSPASS_B64} -showInAdvancedViewOnly: TRUE +isCriticalSystemObject: TRUE dn: ${SERVERDN} objectClass: top diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif index 88146d8cac..47240a9d07 100644 --- a/source4/setup/provision_users.ldif +++ b/source4/setup/provision_users.ldif @@ -7,8 +7,8 @@ objectSid: ${DOMAINSID}-500 adminCount: 1 accountExpires: 9223372036854775807 sAMAccountName: Administrator -isCriticalSystemObject: TRUE userPassword:: ${ADMINPASS_B64} +isCriticalSystemObject: TRUE dn: CN=Guest,CN=Users,${DOMAINDN} objectClass: user @@ -45,8 +45,8 @@ adminCount: 1 accountExpires: 9223372036854775807 sAMAccountName: krbtgt servicePrincipalName: kadmin/changepw -isCriticalSystemObject: TRUE userPassword:: ${KRBTGTPASS_B64} +isCriticalSystemObject: TRUE dn: CN=Domain Computers,CN=Users,${DOMAINDN} objectClass: top @@ -187,16 +187,6 @@ sAMAccountName: Event Log Readers groupType: -2147483644 isCriticalSystemObject: TRUE -dn: CN=IIS_IUSRS,CN=Users,${DOMAINDN} -objectClass: top -objectClass: group -cn: IIS_IUSRS -description: IIS_IUSRS -objectSid: ${DOMAINSID}-568 -sAMAccountName: IIS_IUSRS -groupType: -2147483644 -isCriticalSystemObject: TRUE - dn: CN=Administrators,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group @@ -210,7 +200,6 @@ adminCount: 1 sAMAccountName: Administrators systemFlags: -1946157056 groupType: -2147483643 -isCriticalSystemObject: TRUE privilege: SeSecurityPrivilege privilege: SeBackupPrivilege privilege: SeRestorePrivilege @@ -235,6 +224,7 @@ privilege: SeEnableDelegationPrivilege privilege: SeInteractiveLogonRight privilege: SeNetworkLogonRight privilege: SeRemoteInteractiveLogonRight +isCriticalSystemObject: TRUE dn: CN=Users,CN=Builtin,${DOMAINDN} objectClass: top @@ -271,10 +261,10 @@ adminCount: 1 sAMAccountName: Print Operators systemFlags: -1946157056 groupType: -2147483643 -isCriticalSystemObject: TRUE privilege: SeLoadDriverPrivilege privilege: SeShutdownPrivilege privilege: SeInteractiveLogonRight +isCriticalSystemObject: TRUE dn: CN=Backup Operators,CN=Builtin,${DOMAINDN} objectClass: top @@ -286,11 +276,11 @@ adminCount: 1 sAMAccountName: Backup Operators systemFlags: -1946157056 groupType: -2147483643 -isCriticalSystemObject: TRUE privilege: SeBackupPrivilege privilege: SeRestorePrivilege privilege: SeShutdownPrivilege privilege: SeInteractiveLogonRight +isCriticalSystemObject: TRUE dn: CN=Replicator,CN=Builtin,${DOMAINDN} objectClass: top @@ -358,13 +348,13 @@ adminCount: 1 sAMAccountName: Server Operators systemFlags: -1946157056 groupType: -2147483643 -isCriticalSystemObject: TRUE privilege: SeBackupPrivilege privilege: SeSystemtimePrivilege privilege: SeRemoteShutdownPrivilege privilege: SeRestorePrivilege privilege: SeShutdownPrivilege privilege: SeInteractiveLogonRight +isCriticalSystemObject: TRUE dn: CN=Account Operators,CN=Builtin,${DOMAINDN} objectClass: top @@ -376,8 +366,8 @@ adminCount: 1 sAMAccountName: Account Operators systemFlags: -1946157056 groupType: -2147483643 -isCriticalSystemObject: TRUE privilege: SeInteractiveLogonRight +isCriticalSystemObject: TRUE dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN} objectClass: top @@ -388,9 +378,9 @@ objectSid: S-1-5-32-554 sAMAccountName: Pre-Windows 2000 Compatible Access systemFlags: -1946157056 groupType: -2147483643 -isCriticalSystemObject: TRUE privilege: SeRemoteInteractiveLogonRight privilege: SeChangeNotifyPrivilege +isCriticalSystemObject: TRUE dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN} objectClass: top diff --git a/source4/setup/provision_users_modify.ldif b/source4/setup/provision_users_modify.ldif index a7e8a4336a..6a2e180b15 100644 --- a/source4/setup/provision_users_modify.ldif +++ b/source4/setup/provision_users_modify.ldif @@ -3,11 +3,11 @@ changetype: modify replace: description description: Default container for upgraded user accounts - -replace: showInAdvancedViewOnly -showInAdvancedViewOnly: FALSE -- replace: systemFlags systemFlags: -1946157056 - replace: isCriticalSystemObject isCriticalSystemObject: TRUE +- +replace: showInAdvancedViewOnly +showInAdvancedViewOnly: FALSE diff --git a/source4/setup/schema_samba4.ldif b/source4/setup/schema_samba4.ldif index c11e65e465..591aefbb75 100644 --- a/source4/setup/schema_samba4.ldif +++ b/source4/setup/schema_samba4.ldif @@ -220,7 +220,6 @@ objectClass: classSchema subClassOf: top governsID: 1.3.6.1.4.1.7165.4.2.2 rDNAttID: cn -showInAdvancedViewOnly: TRUE adminDisplayName: Samba4-Local-Domain adminDescription: Samba4-Local-Domain systemMayContain: msDS-Behavior-Version @@ -243,7 +242,6 @@ subClassOf: top governsID: 1.3.6.1.4.1.7165.4.2.1 mayContain: msDS-ObjectReferenceBL rDNAttID: cn -showInAdvancedViewOnly: TRUE adminDisplayName: Samba4TopTop adminDescription: Attributes used in top in Samba4 that OpenLDAP does not objectClassCategory: 3 @@ -344,7 +342,6 @@ objectClass: classSchema subClassOf: top governsID: 1.3.6.1.4.1.7165.4.2.3 rDNAttID: cn -showInAdvancedViewOnly: TRUE adminDisplayName: Samba4TopExtra adminDescription: Attributes used in top in Samba4 that OpenLDAP does not objectClassCategory: 2 -- cgit