From 90d6829f8a6dcb9d4851ad587d75680de6815041 Mon Sep 17 00:00:00 2001
From: Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>
Date: Sun, 6 Sep 2009 19:57:50 +0200
Subject: s4:Foreign security principals - Fix them up

I fixed them up to match with Windows Server 2003. I don't think that the
creation of them in the provision script is needed so I put them in the
"provision_users.ldif" file.
---
 source4/scripting/python/samba/provision.py | 19 -------------------
 source4/setup/provision.ldif                |  2 ++
 source4/setup/provision_users.ldif          | 29 +++++++++++++++++++++++++++++
 3 files changed, 31 insertions(+), 19 deletions(-)

diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index 1fb78ab78e..6056350ab9 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -503,25 +503,6 @@ def setup_name_mappings(samdb, idmap, sid, domaindn, root_uid, nobody_uid,
     :param users_gid: gid of the UNIX users group.
     :param wheel_gid: gid of the UNIX wheel group."""
 
-    def add_foreign(self, domaindn, sid, desc):
-        """Add a foreign security principle."""
-        add = """
-dn: CN=%s,CN=ForeignSecurityPrincipals,%s
-objectClass: top
-objectClass: foreignSecurityPrincipal
-description: %s
-""" % (sid, domaindn, desc)
-        # deliberately ignore errors from this, as the records may
-        # already exist
-        for msg in self.parse_ldif(add):
-            self.add(msg[1])
-
-    add_foreign(samdb, domaindn, "S-1-5-7", "Anonymous")
-    add_foreign(samdb, domaindn, "S-1-1-0", "World")
-    add_foreign(samdb, domaindn, "S-1-5-2", "Network")
-    add_foreign(samdb, domaindn, "S-1-5-18", "System")
-    add_foreign(samdb, domaindn, "S-1-5-11", "Authenticated Users")
-    
     idmap.setup_name_mapping("S-1-5-7", idmap.TYPE_UID, nobody_uid)
     idmap.setup_name_mapping("S-1-5-32-544", idmap.TYPE_GID, wheel_gid)
     
diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif
index 4622112336..bd224ee60d 100644
--- a/source4/setup/provision.ldif
+++ b/source4/setup/provision.ldif
@@ -45,6 +45,8 @@ systemFlags: -1946157056
 isCriticalSystemObject: TRUE
 showInAdvancedViewOnly: FALSE
 
+# Foreign security principals located in "provision_users.ldif"
+
 dn: CN=Infrastructure,${DOMAINDN}
 objectClass: top
 objectClass: infrastructureUpdate
diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif
index 8669d8a4e6..bc5616ba5b 100644
--- a/source4/setup/provision_users.ldif
+++ b/source4/setup/provision_users.ldif
@@ -176,6 +176,30 @@ sAMAccountName: Event Log Readers
 groupType: -2147483644
 isCriticalSystemObject: TRUE
 
+# Add foreign security principals
+
+dn: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-4
+
+dn: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-9
+
+dn: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-11
+
+dn: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-20
+
+# Add builtin objects
+
 dn: CN=Administrators,CN=Builtin,${DOMAINDN}
 objectClass: top
 objectClass: group
@@ -219,6 +243,8 @@ objectClass: top
 objectClass: group
 description: Users are prevented from making accidental or intentional system-wide changes.  Thus, Users can run certified applications, but not most legacy applications
 member: CN=Domain Users,CN=Users,${DOMAINDN}
+member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
+member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
 objectSid: S-1-5-32-545
 sAMAccountName: Users
 systemFlags: -1946157056
@@ -311,6 +337,7 @@ dn: CN=Performance Log Users,CN=Builtin,${DOMAINDN}
 objectClass: top
 objectClass: group
 description: Members of this group have remote access to schedule logging of performance counters on this computer
+member: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN}
 objectSid: S-1-5-32-559
 sAMAccountName: Performance Log Users
 systemFlags: -1946157056
@@ -350,6 +377,7 @@ dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN}
 objectClass: top
 objectClass: group
 description: A backward compatibility group which allows read access on all users and groups in the domain
+member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
 objectSid: S-1-5-32-554
 sAMAccountName: Pre-Windows 2000 Compatible Access
 systemFlags: -1946157056
@@ -372,6 +400,7 @@ dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN}
 objectClass: top
 objectClass: group
 description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
+member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
 objectSid: S-1-5-32-560
 sAMAccountName: Windows Authorization Access Group
 systemFlags: -1946157056
-- 
cgit