From 846e34264828e725ad32897aafbdfd6c0334a7a9 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 25 Aug 2011 13:18:43 +1000
Subject: s4-provision Split addition of users and well known principals

If we are provisioning a subdomain, then these are already in
cn=configuration.

Andrew Bartlett
---
 .../scripting/python/samba/provision/__init__.py   |  17 ++-
 source4/setup/provision_users.ldif                 | 136 ---------------------
 source4/setup/provision_well_known_sec_princ.ldif  | 136 +++++++++++++++++++++
 3 files changed, 147 insertions(+), 142 deletions(-)
 create mode 100644 source4/setup/provision_well_known_sec_princ.ldif

diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py
index 130ea72e70..761caa2dce 100644
--- a/source4/scripting/python/samba/provision/__init__.py
+++ b/source4/scripting/python/samba/provision/__init__.py
@@ -1402,19 +1402,24 @@ def fill_samdb(samdb, lp, names,
         # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
         if fill == FILL_FULL:
             setup_modify_ldif(samdb,
-                              setup_path("provision_basedn_references.ldif"),
-                              {"DOMAINDN": names.domaindn})
+                              setup_path("provision_configuration_references.ldif"), {
+                    "CONFIGDN": names.configdn,
+                    "SCHEMADN": names.schemadn})
 
-        setup_modify_ldif(samdb,
-            setup_path("provision_configuration_references.ldif"), {
+            logger.info("Setting up well known security principals")
+            setup_add_ldif(samdb, setup_path("provision_well_known_sec_princ.ldif"), {
                 "CONFIGDN": names.configdn,
-                "SCHEMADN": names.schemadn})
+                })
+
         if fill == FILL_FULL or fill == FILL_SUBDOMAIN:
+            setup_modify_ldif(samdb,
+                              setup_path("provision_basedn_references.ldif"),
+                              {"DOMAINDN": names.domaindn})
+
             logger.info("Setting up sam.ldb users and groups")
             setup_add_ldif(samdb, setup_path("provision_users.ldif"), {
                 "DOMAINDN": names.domaindn,
                 "DOMAINSID": str(domainsid),
-                "CONFIGDN": names.configdn,
                 "ADMINPASS_B64": b64encode(adminpass.encode('utf-16-le')),
                 "KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
                 })
diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif
index 022f81d848..cf9622ef02 100644
--- a/source4/setup/provision_users.ldif
+++ b/source4/setup/provision_users.ldif
@@ -432,139 +432,3 @@ systemFlags: -1946157056
 groupType: -2147483643
 isCriticalSystemObject: TRUE
 
-# Add well known security principals
-
-dn: CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: container
-systemFlags: -2147483648
-
-dn: CN=Anonymous Logon,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-7
-
-dn: CN=Authenticated Users,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-11
-
-dn: CN=Batch,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-3
-
-dn: CN=Creator Group,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-3-1
-
-dn: CN=Creator Owner,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-3-0
-
-dn: CN=Dialup,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-1
-
-dn: CN=Digest Authentication,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-64-21
-
-dn: CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-9
-
-dn: CN=Everyone,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-1-0
-
-dn: CN=Interactive,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-4
-
-dn: CN=IUSR,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-17
-
-dn: CN=Local Service,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-19
-
-dn: CN=Network,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-2
-
-dn: CN=Network Service,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-20
-
-dn: CN=NTLM Authentication,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-64-10
-
-dn: CN=Other Organization,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-1000
-
-dn: CN=Owner Rights,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-3-4
-
-dn: CN=Proxy,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-8
-
-dn: CN=Remote Interactive Logon,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-14
-
-dn: CN=Restricted,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-12
-
-dn: CN=SChannel Authentication,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-64-14
-
-dn: CN=Self,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-10
-
-dn: CN=Service,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-6
-
-dn: CN=System,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-18
-
-dn: CN=Terminal Server User,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-13
-
-dn: CN=This Organization,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-15
diff --git a/source4/setup/provision_well_known_sec_princ.ldif b/source4/setup/provision_well_known_sec_princ.ldif
new file mode 100644
index 0000000000..54691bd796
--- /dev/null
+++ b/source4/setup/provision_well_known_sec_princ.ldif
@@ -0,0 +1,136 @@
+# Add well known security principals
+
+dn: CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: container
+systemFlags: -2147483648
+
+dn: CN=Anonymous Logon,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-7
+
+dn: CN=Authenticated Users,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-11
+
+dn: CN=Batch,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-3
+
+dn: CN=Creator Group,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-3-1
+
+dn: CN=Creator Owner,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-3-0
+
+dn: CN=Dialup,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-1
+
+dn: CN=Digest Authentication,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-64-21
+
+dn: CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-9
+
+dn: CN=Everyone,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-1-0
+
+dn: CN=Interactive,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-4
+
+dn: CN=IUSR,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-17
+
+dn: CN=Local Service,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-19
+
+dn: CN=Network,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-2
+
+dn: CN=Network Service,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-20
+
+dn: CN=NTLM Authentication,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-64-10
+
+dn: CN=Other Organization,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-1000
+
+dn: CN=Owner Rights,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-3-4
+
+dn: CN=Proxy,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-8
+
+dn: CN=Remote Interactive Logon,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-14
+
+dn: CN=Restricted,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-12
+
+dn: CN=SChannel Authentication,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-64-14
+
+dn: CN=Self,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-10
+
+dn: CN=Service,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-6
+
+dn: CN=System,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-18
+
+dn: CN=Terminal Server User,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-13
+
+dn: CN=This Organization,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-15
-- 
cgit