From a4d056339235d436dfdbf82e14975151ee1bc7c3 Mon Sep 17 00:00:00 2001
From: Matthieu Patou <mat@matws.net>
Date: Wed, 27 Jan 2010 02:03:15 +0300
Subject: provision: Use short name for assignee of ACE (BA, SA, CO, ...)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

  Use short name (shortcut for wellknown SID/RID) for assignee in each entry of ACL (when possible)
  of sysvol files (GPO objects and netlogon folders).
  This avoid error prone substitution of DOMAINSID in ACL and make ACL clearer by using shortname
  for assignee accordingly with SDDL synthax rules. Translation to real SID is handled internaly by the
  from_sddl function.

Signed-off-by: Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>
---
 source4/scripting/python/samba/provision.py | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index 27e5287457..f52766b228 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -1065,8 +1065,8 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp,
 FILL_FULL = "FULL"
 FILL_NT4SYNC = "NT4SYNC"
 FILL_DRS = "DRS"
-SYSVOL_ACL = "O:${DOMAINSID}-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-32-549)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
-POLICIES_ACL = "O:${DOMAINSID}-500G:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-32-549)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;${DOMAINSID}-520)"
+SYSVOL_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)"
+POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
 
 def set_gpo_acl(path,acl,lp,domsid):
 	setntacl(lp,path,acl,domsid)
@@ -1078,27 +1078,25 @@ def set_gpo_acl(path,acl,lp,domsid):
 
 def setsysvolacl(samdb,names,netlogon,sysvol,gid,domainsid,lp):
 	canchown = 1
-	acl = SYSVOL_ACL.replace("${DOMAINSID}",str(domainsid))
 	try:
 		os.chown(sysvol,-1,gid)
 	except:
 		canchown = 0
 
-	setntacl(lp,sysvol,acl,str(domainsid))
+	setntacl(lp,sysvol,SYSVOL_ACL,str(domainsid))
 	for root, dirs, files in os.walk(sysvol, topdown=False):
 		for name in files:
 			if canchown:
 				os.chown(os.path.join(root, name),-1,gid)
-			setntacl(lp,os.path.join(root, name),acl,str(domainsid))
+			setntacl(lp,os.path.join(root, name),SYSVOL_ACL,str(domainsid))
 		for name in dirs:
 			if canchown:
 				os.chown(os.path.join(root, name),-1,gid)
-			setntacl(lp,os.path.join(root, name),acl,str(domainsid))
+			setntacl(lp,os.path.join(root, name),SYSVOL_ACL,str(domainsid))
 
 	# Set ACL for GPO
 	policy_path = os.path.join(sysvol, names.dnsdomain, "Policies")
-	acl = POLICIES_ACL.replace("${DOMAINSID}",str(domainsid))
-	set_gpo_acl(policy_path,dsacl2fsacl(acl,str(domainsid)),lp,str(domainsid))
+	set_gpo_acl(policy_path,dsacl2fsacl(POLICIES_ACL,str(domainsid)),lp,str(domainsid))
 	res = samdb.search(base="CN=Policies,CN=System,%s"%(names.domaindn),
 						attrs=["cn","nTSecurityDescriptor"],
 						expression="", scope=ldb.SCOPE_ONELEVEL)
-- 
cgit