From 5eb3b919c59b62065db32e0575fcd1d84a64e3db Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 5 Jan 2010 17:08:56 +1100 Subject: s4-provision: the DC object itself needs a fixed objectSID We can't allocate a objectSID until we have rIDSetReferences, but that is in the DC object, so we have to force the objectSID of the DC Pair-Programmed-With: Andrew Bartlett --- source4/scripting/python/samba/provision.py | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/scripting/python') diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index d7d0a790ca..62ca9282d1 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -796,6 +796,7 @@ def setup_self_join(samdb, names, "DNSPASS_B64": b64encode(dnspass), "REALM": names.realm, "DOMAIN": names.domain, + "DOMAINSID": str(domainsid), "DNSDOMAIN": names.dnsdomain, "SAMBA_VERSION_STRING": version, "NTDSGUID": ntdsguid_line, -- cgit From fcfb5d7b63293a13fa4984c0a4502a682a5a02a9 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 6 Jan 2010 09:15:35 +1100 Subject: s4-provision: allow provision modifies to add records we need to recognise a changetype of 'add' --- source4/scripting/python/samba/__init__.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'source4/scripting/python') diff --git a/source4/scripting/python/samba/__init__.py b/source4/scripting/python/samba/__init__.py index 5d61c1bd8c..d7df6b979b 100644 --- a/source4/scripting/python/samba/__init__.py +++ b/source4/scripting/python/samba/__init__.py @@ -255,7 +255,10 @@ class Ldb(ldb.Ldb): :param ldif: LDIF text. """ for changetype, msg in self.parse_ldif(ldif): - self.modify(msg, controls) + if (changetype == ldb.CHANGETYPE_ADD): + self.add(msg, controls) + else: + self.modify(msg, controls) def set_domain_sid(self, sid): """Change the domain SID used by this LDB. -- cgit From 53d10d139e569f9132193e8f8c268638eab30a0b Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 6 Jan 2010 09:26:17 +1100 Subject: s4-provision: don't hard wire the creation of the RID Set object We now create it automatically in the samldb module when the first user is created. The creation of the dns user also had to move to the _modify.ldif as it now relies on the fSMO role being setup for the RID Manager Pair-Programmed-With: Andrew Bartlett --- source4/scripting/python/samba/provision.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/scripting/python') diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index 62ca9282d1..bb47d2bd5c 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -793,7 +793,6 @@ def setup_self_join(samdb, names, "DEFAULTSITE": names.sitename, "DNSNAME": "%s.%s" % (names.hostname, names.dnsdomain), "MACHINEPASS_B64": b64encode(machinepass), - "DNSPASS_B64": b64encode(dnspass), "REALM": names.realm, "DOMAIN": names.domain, "DOMAINSID": str(domainsid), @@ -825,7 +824,8 @@ def setup_self_join(samdb, names, "DEFAULTSITE": names.sitename, "SERVERDN": names.serverdn, "NETBIOSNAME": names.netbiosname, - "NTDSGUID": names.ntdsguid + "NTDSGUID": names.ntdsguid, + "DNSPASS_B64": b64encode(dnspass), }) -- cgit From 1f25d0a5add1812723dfb93da28bbb80dc5d6757 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 7 Jan 2010 10:12:24 +1100 Subject: s4-provision: re-open sam.ldb after creating the schema This enables the full schema during the rest of the provision, which means indexing is enabled (along with index error checking, such as duplicate SIDs) --- source4/scripting/python/samba/provision.py | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'source4/scripting/python') diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index bb47d2bd5c..0d50789b77 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -946,6 +946,15 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, setup_add_ldif(samdb, setup_path("aggregate_schema.ldif"), {"SCHEMADN": names.schemadn}) + message("Reopening sam.ldb with new schema"); + samdb.transaction_commit() + samdb = Ldb(session_info=session_info, + credentials=provision_backend.credentials, lp=lp) + samdb.connect(path) + samdb.transaction_start() + if serverrole == "domain controller": + samdb.set_invocation_id(invocationid) + message("Setting up sam.ldb configuration data") setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), { "CONFIGDN": names.configdn, -- cgit From a7fffe8da0464b25d587e5148207e1a67b930505 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 7 Jan 2010 17:31:23 +1100 Subject: s4-provision: do a self join for all server types We need a machine account so the RID allocation code can work. It seems better to use the same code paths for a domain controller and standalone server to avoid testing headaches with little used code. --- source4/scripting/python/samba/provision.py | 39 +++++++++++++---------------- 1 file changed, 17 insertions(+), 22 deletions(-) (limited to 'source4/scripting/python') diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index 0d50789b77..a71b561a86 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -893,10 +893,7 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, samdb.set_opaque_integer("domainControllerFunctionality", domainControllerFunctionality) samdb.set_domain_sid(str(domainsid)) - if serverrole == "domain controller": - samdb.set_invocation_id(invocationid) - # NOTE: the invocationid for standalone and member server - # cases is setup in the sambd_dsdb module init function + samdb.set_invocation_id(invocationid) message("Adding DomainDN: %s" % names.domaindn) @@ -952,8 +949,7 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, credentials=provision_backend.credentials, lp=lp) samdb.connect(path) samdb.transaction_start() - if serverrole == "domain controller": - samdb.set_invocation_id(invocationid) + samdb.set_invocation_id(invocationid) message("Setting up sam.ldb configuration data") setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), { @@ -1013,21 +1009,20 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, "KRBTGTPASS_B64": b64encode(krbtgtpass), }) - if serverrole == "domain controller": - message("Setting up self join") - setup_self_join(samdb, names=names, invocationid=invocationid, - dnspass=dnspass, - machinepass=machinepass, - domainsid=domainsid, policyguid=policyguid, - policyguid_dc=policyguid_dc, - setup_path=setup_path, - domainControllerFunctionality=domainControllerFunctionality, - ntdsguid=ntdsguid) - - ntds_dn = "CN=NTDS Settings,CN=%s,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,%s" % (names.hostname, names.domaindn) - names.ntdsguid = samdb.searchone(basedn=ntds_dn, - attribute="objectGUID", expression="", scope=SCOPE_BASE) - assert isinstance(names.ntdsguid, str) + message("Setting up self join") + setup_self_join(samdb, names=names, invocationid=invocationid, + dnspass=dnspass, + machinepass=machinepass, + domainsid=domainsid, policyguid=policyguid, + policyguid_dc=policyguid_dc, + setup_path=setup_path, + domainControllerFunctionality=domainControllerFunctionality, + ntdsguid=ntdsguid) + + ntds_dn = "CN=NTDS Settings,CN=%s,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,%s" % (names.hostname, names.domaindn) + names.ntdsguid = samdb.searchone(basedn=ntds_dn, + attribute="objectGUID", expression="", scope=SCOPE_BASE) + assert isinstance(names.ntdsguid, str) except: samdb.transaction_cancel() @@ -1146,7 +1141,7 @@ def provision(setup_dir, message, session_info, serverrole = lp.get("server role") assert serverrole in ("domain controller", "member server", "standalone") - if invocationid is None and serverrole == "domain controller": + if invocationid is None: invocationid = str(uuid.uuid4()) if not os.path.exists(paths.private_dir): -- cgit From d371b0eabe360f7c184a10282f63a64b0cfc550f Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 8 Jan 2010 16:59:27 +1100 Subject: s4-schema: added adminDisplayName and adminDescription These are missing from the WSPP schemas Pair-Programmed-With: Andrew Bartlett --- source4/scripting/python/samba/ms_schema.py | 2 ++ 1 file changed, 2 insertions(+) (limited to 'source4/scripting/python') diff --git a/source4/scripting/python/samba/ms_schema.py b/source4/scripting/python/samba/ms_schema.py index a4eed581c6..9f5ebcf8cc 100644 --- a/source4/scripting/python/samba/ms_schema.py +++ b/source4/scripting/python/samba/ms_schema.py @@ -229,6 +229,8 @@ def __transform_entry(entry, objectClass): entry.insert(1, ["objectClass", ["top", objectClass]]) entry.insert(2, ["cn", cn]) entry.insert(2, ["objectGUID", str(uuid.uuid4())]) + entry.insert(2, ["adminDescription", cn]) + entry.insert(2, ["adminDisplayName", cn]) for l in entry: key = l[0].lower() -- cgit From 38909a4ae5a2dc3b18a797933586d35cc679d667 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 8 Jan 2010 17:00:28 +1100 Subject: s4-schema: switch to W2K8-R2 schema Pair-Programmed-With: Andrew Bartlett --- source4/scripting/python/samba/schema.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/scripting/python') diff --git a/source4/scripting/python/samba/schema.py b/source4/scripting/python/samba/schema.py index 8913e53b00..67c48e8e58 100644 --- a/source4/scripting/python/samba/schema.py +++ b/source4/scripting/python/samba/schema.py @@ -64,8 +64,8 @@ class Schema(object): self.schemadn = schemadn self.ldb = Ldb() - self.schema_data = read_ms_schema(setup_path('ad-schema/MS-AD_Schema_2K8_Attributes.txt'), - setup_path('ad-schema/MS-AD_Schema_2K8_Classes.txt')) + self.schema_data = read_ms_schema(setup_path('ad-schema/MS-AD_Schema_2K8_R2_Attributes.txt'), + setup_path('ad-schema/MS-AD_Schema_2K8_R2_Classes.txt')) if files is not None: for file in files: -- cgit From 8a09dc12660dcc62926c3a41cacd4970f46f9210 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 9 Jan 2010 20:54:16 +1100 Subject: s4-schema: fixed the SDDL for the schema root security descriptor This was preventing a DCPROMO client from allowing outgoing replication --- source4/scripting/python/samba/schema.py | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) (limited to 'source4/scripting/python') diff --git a/source4/scripting/python/samba/schema.py b/source4/scripting/python/samba/schema.py index 67c48e8e58..f702e9829f 100644 --- a/source4/scripting/python/samba/schema.py +++ b/source4/scripting/python/samba/schema.py @@ -35,16 +35,20 @@ from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL, SCOPE_BASE import os def get_schema_descriptor(domain_sid): - sddl = "O:SAG:SAD:(A;CI;RPLCLORC;;;AU)(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)" \ - "(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ - "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ - "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \ - "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ - "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \ - "S:(AU;SA;WPCCDCWOWDSDDTSW;;;WD)" \ - "(AU;CISA;WP;;;WD)(AU;SA;CR;;;BA)" \ - "(AU;SA;CR;;;DU)(OU;SA;CR;e12b56b6-0a95-11d1-adbb-00c04fd8d5cd;;WD)" \ - "(OU;SA;CR;45ec5156-db7e-47bb-b53f-dbeb2d03c40f;;WD)" + sddl = "O:SAG:SAD:AI(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c" \ + ";;ER)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)(OA;;CR;1131f6ad-9c07-1" \ + "1d1-f79f-00c04fc2dcd2;;ER)(OA;;CR;e12b56b6-0a95-11d1-adbb-00c04fd8d5cd;;SA)(O" \ + "A;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79" \ + "f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1" \ + "131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04" \ + "fc2dcd2;;BA)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;1131f6aa" \ + "-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2" \ + ";;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ad-9c07-1" \ + "1d1-f79f-00c04fc2dcd2;;ED)(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;LA)(A;CI;RPWPCRCCLCL" \ + "ORCWOWDSW;;;SA)(A;CI;RPLCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:(O" \ + "U;SA;CR;45ec5156-db7e-47bb-b53f-dbeb2d03c40f;;WD)(OU;SA;CR;e12b56b6-0a95-11d1" \ + "-adbb-00c04fd8d5cd;;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPCCDCWOWDSDDTSW;" \ + ";;WD)(AU;CISA;WP;;;WD)" sec = security.descriptor.from_sddl(sddl, domain_sid) return ndr_pack(sec) -- cgit