From f794e8d43de1c2fb577b883f0e0b49f392fa14a1 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 16 Oct 2009 18:01:35 +1100 Subject: s4-provision: added the default privileges db privileges are now stored in a separate database --- source4/scripting/python/samba/provision.py | 21 ++++++++ source4/setup/provision_privilege.ldif | 78 +++++++++++++++++++++++++++++ 2 files changed, 99 insertions(+) create mode 100644 source4/setup/provision_privilege.ldif (limited to 'source4') diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index fdf1fe9e61..d7fadf3b7e 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -369,6 +369,7 @@ def provision_paths_from_lp(lp, dnsdomain): paths.samdb = os.path.join(paths.private_dir, lp.get("sam database") or "samdb.ldb") paths.idmapdb = os.path.join(paths.private_dir, lp.get("idmap database") or "idmap.ldb") paths.secrets = os.path.join(paths.private_dir, lp.get("secrets database") or "secrets.ldb") + paths.privilege = os.path.join(paths.private_dir, "privilege.ldb") paths.dns = os.path.join(paths.private_dir, dnsdomain + ".zone") paths.namedconf = os.path.join(paths.private_dir, "named.conf") paths.namedtxt = os.path.join(paths.private_dir, "named.txt") @@ -830,6 +831,23 @@ def setup_secretsdb(path, setup_path, session_info, credentials, lp): return secrets_ldb +def setup_privileges(path, setup_path, session_info, lp): + """Setup the privileges database. + + :param path: Path to the privileges database. + :param setup_path: Get the path to a setup file. + :param session_info: Session info. + :param credentials: Credentials + :param lp: Loadparm context + :return: LDB handle for the created secrets database + """ + if os.path.exists(path): + os.unlink(path) + privilege_ldb = Ldb(path, session_info=session_info, lp=lp) + privilege_ldb.erase() + privilege_ldb.load_ldif_file_add(setup_path("provision_privilege.ldif")) + + def setup_registry(path, setup_path, session_info, lp): """Setup the registry. @@ -1301,6 +1319,9 @@ def provision(setup_dir, message, session_info, setup_registry(paths.hklm, setup_path, session_info, lp=lp) + message("Setting up the privileges database") + setup_privileges(paths.privilege, setup_path, session_info, lp=lp) + message("Setting up idmap db") idmap = setup_idmapdb(paths.idmapdb, setup_path, session_info=session_info, lp=lp) diff --git a/source4/setup/provision_privilege.ldif b/source4/setup/provision_privilege.ldif new file mode 100644 index 0000000000..0916c59f30 --- /dev/null +++ b/source4/setup/provision_privilege.ldif @@ -0,0 +1,78 @@ +# default privileges - more can be added via LSA or ldbedit +dn: @ATTRIBUTES +comment: CASE_INSENSITIVE +privilege: CASE_INSENSITIVE + +dn: @INDEXLIST +@IDXATTR: objectSid +@IDXATTR: privilege + +dn: sid=S-1-5-32-544 +objectClass: privilege +comment: Administrators +objectSid: S-1-5-32-544 +privilege: SeSecurityPrivilege +privilege: SeBackupPrivilege +privilege: SeRestorePrivilege +privilege: SeSystemtimePrivilege +privilege: SeShutdownPrivilege +privilege: SeRemoteShutdownPrivilege +privilege: SeTakeOwnershipPrivilege +privilege: SeDebugPrivilege +privilege: SeSystemEnvironmentPrivilege +privilege: SeSystemProfilePrivilege +privilege: SeProfileSingleProcessPrivilege +privilege: SeIncreaseBasePriorityPrivilege +privilege: SeLoadDriverPrivilege +privilege: SeCreatePagefilePrivilege +privilege: SeIncreaseQuotaPrivilege +privilege: SeChangeNotifyPrivilege +privilege: SeUndockPrivilege +privilege: SeManageVolumePrivilege +privilege: SeImpersonatePrivilege +privilege: SeCreateGlobalPrivilege +privilege: SeEnableDelegationPrivilege +privilege: SeInteractiveLogonRight +privilege: SeNetworkLogonRight +privilege: SeRemoteInteractiveLogonRight + +dn: sid=S-1-5-32-550 +objectClass: privilege +comment: Print Operators +objectSid: S-1-5-32-550 +privilege: SeLoadDriverPrivilege +privilege: SeShutdownPrivilege +privilege: SeInteractiveLogonRight + +dn: sid=S-1-5-32-551 +objectClass: privilege +comment: Backup Operators +objectSid: S-1-5-32-551 +privilege: SeBackupPrivilege +privilege: SeRestorePrivilege +privilege: SeShutdownPrivilege +privilege: SeInteractiveLogonRight + +dn: sid=S-1-5-32-549 +objectClass: privilege +comment: Server Operators +objectSid: S-1-5-32-549 +privilege: SeBackupPrivilege +privilege: SeSystemtimePrivilege +privilege: SeRemoteShutdownPrivilege +privilege: SeRestorePrivilege +privilege: SeShutdownPrivilege +privilege: SeInteractiveLogonRight + +dn: sid=S-1-5-32-548 +objectClass: privilege +comment: Account Operators +objectSid: S-1-5-32-548 +privilege: SeInteractiveLogonRight + +dn: sid=S-1-5-32-554 +objectClass: privilege +comment: Pre-Windows 2000 Compatible Access +objectSid: S-1-5-32-554 +privilege: SeRemoteInteractiveLogonRight +privilege: SeChangeNotifyPrivilege -- cgit