From a807c8364168850f4c626aeecca56e1762b5d45b Mon Sep 17 00:00:00 2001 From: Amitay Isaacs Date: Tue, 20 Sep 2011 17:30:10 +1000 Subject: s4-provision: Set security descriptor for DNS records --- .../scripting/python/samba/provision/__init__.py | 2 +- .../scripting/python/samba/provision/sambadns.py | 119 ++++++++++++++++++--- 2 files changed, 103 insertions(+), 18 deletions(-) (limited to 'source4/scripting') diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index be0e903cd9..c00c2e8481 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -1593,7 +1593,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths, # It might be that this attribute does not exist in this schema raise - setup_ad_dns(samdb, secrets_ldb, names, paths, lp, logger, + setup_ad_dns(samdb, secrets_ldb, domainsid, names, paths, lp, logger, hostip=hostip, hostip6=hostip6, dns_backend=dns_backend, dnspass=dnspass, os_level=dom_for_fun_level, targetdir=targetdir, site=DEFAULTSITE) diff --git a/source4/scripting/python/samba/provision/sambadns.py b/source4/scripting/python/samba/provision/sambadns.py index d7d75cdca5..24272f5017 100644 --- a/source4/scripting/python/samba/provision/sambadns.py +++ b/source4/scripting/python/samba/provision/sambadns.py @@ -25,10 +25,11 @@ import uuid import shutil import time import ldb +from base64 import b64encode import samba from samba.ndr import ndr_pack, ndr_unpack from samba import read_and_sub_file, setup_file -from samba.dcerpc import dnsp, misc +from samba.dcerpc import dnsp, misc, security from samba.dsdb import ( DS_DOMAIN_FUNCTION_2000, DS_DOMAIN_FUNCTION_2003, @@ -48,6 +49,13 @@ def modify_ldif(ldb, ldif_file, subst_vars, controls=["relax:0"]): data = read_and_sub_file(ldif_file_path, subst_vars) ldb.modify_ldif(data, controls) +def set_security_descriptor(samdb, dn_str, descriptor): + msg = ldb.Message() + msg.dn = ldb.Dn(samdb, dn_str) + msg["nTSecurityDescriptor"] = ldb.MessageElement(descriptor, + ldb.FLAG_MOD_REPLACE, "nTSecurityDescriptor") + samdb.modify(msg, controls=["relax:0"]) + def setup_ldb(ldb, ldif_path, subst_vars): """Import a LDIF a file into a LDB handle, optionally substituting variables. @@ -90,6 +98,60 @@ def get_ntdsguid(samdb, domaindn): ntdsguid = str(ndr_unpack(misc.GUID, res3[0]["objectGUID"][0])) return ntdsguid +def get_dns_partition_descriptor(domainsid): + sddl = "O:SYG:BAD:AI" \ + "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ + "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ + "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ + "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ + "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ + "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ + "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ + "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ + "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ + "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ + "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \ + "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)" \ + "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)" \ + "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)" \ + "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \ + "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ + "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ + "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ + "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ + "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ + "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;IF)" \ + "(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)" \ + "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)" \ + "(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ + "(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)" \ + "(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ + "(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)" \ + "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \ + "(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)" \ + "(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)" \ + "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ + "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ + "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ + "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ + "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ + "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)" \ + "(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)" \ + "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \ + "(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \ + "(A;;RPRC;;;RU)" \ + "(A;CI;LC;;;RU)" \ + "(A;CI;RPWPCRCCLCLORCWOWDSDSW;;;BA)" \ + "(A;;RP;;;WD)" \ + "(A;;RPLCLORC;;;ED)" \ + "(A;;RPLCLORC;;;AU)" \ + "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ + "S:AI" \ + "(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \ + "(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \ + "(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWOWD;;;WD)" + sec = security.descriptor.from_sddl(sddl, domainsid) + return ndr_pack(sec) class ARecord(dnsp.DnssrvRpcRecord): def __init__(self, ip_addr, serial=1, ttl=900, rank=dnsp.DNS_RANK_ZONE): @@ -159,12 +221,7 @@ class SRVRecord(dnsp.DnssrvRpcRecord): srv.wWeight = weight self.data = srv - -def setup_dns_partitions(samdb, domaindn, forestdn, configdn, serverdn): - - # FIXME: Default security descriptor for Domain-DNS objectCategory is different in - # our documentation from windows - +def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn, serverdn): domainzone_dn = "DC=DomainDnsZones,%s" % domaindn forestzone_dn = "DC=ForestDnsZones,%s" % forestdn @@ -173,6 +230,10 @@ def setup_dns_partitions(samdb, domaindn, forestdn, configdn, serverdn): "FORESTZONE_DN": forestzone_dn, }) + descriptor = get_dns_partition_descriptor(domainsid) + set_security_descriptor(samdb, domainzone_dn, descriptor) + set_security_descriptor(samdb, forestzone_dn, descriptor) + domainzone_guid = get_domainguid(samdb, domainzone_dn) forestzone_guid = get_domainguid(samdb, forestzone_dn) @@ -206,14 +267,21 @@ def add_dns_accounts(samdb, domaindn): "DOMAINDN": domaindn, }) -def add_dns_container(samdb, domaindn, prefix): +def add_dns_container(samdb, domaindn, prefix, domainsid): # CN=MicrosoftDNS,, + sddl = "O:SYG:SYD:AI" \ + "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" \ + "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;S-1-5-21-3468611895-2137509179-3280132445-1101)" \ + "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ + "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)" \ + "S:AI" + sec = security.descriptor.from_sddl(sddl, domainsid) msg = ldb.Message(ldb.Dn(samdb, "CN=MicrosoftDNS,%s,%s" % (prefix, domaindn))) msg["objectClass"] = ["top", "container"] msg["displayName"] = ldb.MessageElement("DNS Servers", ldb.FLAG_MOD_ADD, "displayName") + msg["nTSecurityDescriptor"] = ndr_pack(sec) samdb.add(msg) - def add_rootservers(samdb, domaindn, prefix): rootservers = {} rootservers["a.root-servers.net"] = "198.41.0.4" @@ -337,10 +405,26 @@ def add_host_record(samdb, container_dn, prefix, hostip, hostip6): msg["dnsRecord"] = ldb.MessageElement(host_records, ldb.FLAG_MOD_ADD, "dnsRecord") samdb.add(msg) -def add_domain_record(samdb, domaindn, prefix, dnsdomain): +def add_domain_record(samdb, domaindn, prefix, dnsdomain, domainsid): # DC=,CN=MicrosoftDNS,, + sddl = "O:SYG:BAD:AI" \ + "(D;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;S-1-5-21-3468611895-2137509179-3280132445-1103)" \ + "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" \ + "(A;;CC;;;AU)" \ + "(A;;RPLCLORC;;;WD)" \ + "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ + "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)" \ + "(A;CIID;RPWPCRCCDCLCRCWOWDSDDTSW;;;S-1-5-21-3468611895-2137509179-3280132445-1101)" \ + "(A;CIID;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)" \ + "(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)" \ + "(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \ + "(A;CIID;LC;;;RU)" \ + "(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA)" \ + "S:AI" + sec = security.descriptor.from_sddl(sddl, domainsid) msg = ldb.Message(ldb.Dn(samdb, "DC=%s,CN=MicrosoftDNS,%s,%s" % (dnsdomain, prefix, domaindn))) msg["objectClass"] = ["top", "dnsZone"] + msg["ntSecurityDescriptor"] = ndr_pack(sec) samdb.add(msg) def add_msdcs_record(samdb, forestdn, prefix, dnsforest): @@ -667,7 +751,7 @@ def is_valid_os_level(os_level): return DS_DOMAIN_FUNCTION_2000 <= os_level <= DS_DOMAIN_FUNCTION_2008_R2 -def setup_ad_dns(samdb, secretsdb, names, paths, lp, logger, dns_backend, +def setup_ad_dns(samdb, secretsdb, domainsid, names, paths, lp, logger, dns_backend, os_level, site, dnspass=None, hostip=None, hostip6=None, targetdir=None): """Provision DNS information (assuming GC role) @@ -731,7 +815,7 @@ def setup_ad_dns(samdb, secretsdb, names, paths, lp, logger, dns_backend, logger.info("Populating CN=MicrosoftDNS,CN=System,%s" % domaindn) # Set up MicrosoftDNS container - add_dns_container(samdb, domaindn, "CN=System") + add_dns_container(samdb, domaindn, "CN=System", domainsid) # Add root servers add_rootservers(samdb, domaindn, "CN=System") @@ -739,7 +823,7 @@ def setup_ad_dns(samdb, secretsdb, names, paths, lp, logger, dns_backend, if os_level == DS_DOMAIN_FUNCTION_2000: # Add domain record - add_domain_record(samdb, domaindn, "CN=System", dnsdomain) + add_domain_record(samdb, domaindn, "CN=System", dnsdomain, domainsid) # Add DNS records for a DC in domain add_dc_domain_records(samdb, domaindn, "CN=System", site, dnsdomain, @@ -750,19 +834,20 @@ def setup_ad_dns(samdb, secretsdb, names, paths, lp, logger, dns_backend, # Set up additional partitions (DomainDnsZones, ForstDnsZones) logger.info("Creating DomainDnsZones and ForestDnsZones partitions") - setup_dns_partitions(samdb, domaindn, forestdn, names.configdn, names.serverdn) + setup_dns_partitions(samdb, domainsid, domaindn, forestdn, + names.configdn, names.serverdn) ##### Set up DC=DomainDnsZones, logger.info("Populating DomainDnsZones partition") # Set up MicrosoftDNS container - add_dns_container(samdb, domaindn, "DC=DomainDnsZones") + add_dns_container(samdb, domaindn, "DC=DomainDnsZones", domainsid) # Add rootserver records add_rootservers(samdb, domaindn, "DC=DomainDnsZones") # Add domain record - add_domain_record(samdb, domaindn, "DC=DomainDnsZones", dnsdomain) + add_domain_record(samdb, domaindn, "DC=DomainDnsZones", dnsdomain, domainsid) # Add DNS records for a DC in domain add_dc_domain_records(samdb, domaindn, "DC=DomainDnsZones", site, dnsdomain, @@ -772,7 +857,7 @@ def setup_ad_dns(samdb, secretsdb, names, paths, lp, logger, dns_backend, logger.info("Populating ForestDnsZones partition") # Set up MicrosoftDNS container - add_dns_container(samdb, forestdn, "DC=ForestDnsZones") + add_dns_container(samdb, forestdn, "DC=ForestDnsZones", domainsid) # Add _msdcs record add_msdcs_record(samdb, forestdn, "DC=ForestDnsZones", dnsforest) -- cgit