From 914a61d9e5b7a182592f3afe60f4dad1cd342fc4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 11 Dec 2012 03:15:26 +0100 Subject: s4:provision: set the correct nTSecurityDescriptor on CN=Domain Controllers,... (bug #9481) Signed-off-by: Stefan Metzmacher Reviewed-by: Michael Adam Autobuild-User(master): Michael Adam Autobuild-Date(master): Tue Dec 11 07:05:39 CET 2012 on sn-devel-104 --- source4/scripting/python/samba/provision/__init__.py | 3 +++ source4/scripting/python/samba/provision/descriptor.py | 12 ++++++++++++ source4/setup/provision.ldif | 1 + 3 files changed, 16 insertions(+) (limited to 'source4') diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index c5a8b397ab..e6ea855b57 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -86,6 +86,7 @@ from samba.provision.descriptor import ( get_domain_builtin_descriptor, get_domain_computers_descriptor, get_domain_users_descriptor, + get_domain_controllers_descriptor ) from samba.provision.common import ( setup_path, @@ -1308,6 +1309,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, logger.info("Setting up sam.ldb data") infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(domainsid)) builtin_desc = b64encode(get_domain_builtin_descriptor(domainsid)) + controllers_desc = b64encode(get_domain_controllers_descriptor(domainsid)) setup_add_ldif(samdb, setup_path("provision.ldif"), { "CREATTIME": str(samba.unix2nttime(int(time.time()))), "DOMAINDN": names.domaindn, @@ -1319,6 +1321,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, "POLICYGUID_DC": policyguid_dc, "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc, "BUILTIN_DESCRIPTOR": builtin_desc, + "DOMAIN_CONTROLLERS_DESCRIPTOR": controllers_desc, }) # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py index 2a98168a5e..adf75797cc 100644 --- a/source4/scripting/python/samba/provision/descriptor.py +++ b/source4/scripting/python/samba/provision/descriptor.py @@ -237,6 +237,18 @@ def get_domain_users_descriptor(domain_sid): sec = security.descriptor.from_sddl(sddl, domain_sid) return ndr_pack(sec) +def get_domain_controllers_descriptor(domain_sid): + sddl = "D:" \ + "(A;;RPLCLORC;;;AU)" \ + "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \ + "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ + "(A;;RPLCLORC;;;ED)" \ + "S:" \ + "(AU;SA;CCDCWOWDSDDT;;;WD)" \ + "(AU;CISA;WP;;;WD)" + sec = security.descriptor.from_sddl(sddl, domain_sid) + return ndr_pack(sec) + def get_dns_partition_descriptor(domainsid): sddl = "O:SYG:BAD:AI" \ "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif index 5d20189de2..51e56ff2a6 100644 --- a/source4/setup/provision.ldif +++ b/source4/setup/provision.ldif @@ -46,6 +46,7 @@ systemFlags: -1946157056 isCriticalSystemObject: TRUE showInAdvancedViewOnly: FALSE gPLink: [LDAP://CN={${POLICYGUID_DC}},CN=Policies,CN=System,${DOMAINDN};0] +nTSecurityDescriptor:: ${DOMAIN_CONTROLLERS_DESCRIPTOR} # Joined DC located in "provision_self_join.ldif" -- cgit