From e855fe206810e48181cb3431a80840bf618d5f16 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 18 Mar 2023 16:00:14 +0100 Subject: [PATCH] python/samba: let get_domain_descriptor() include adprep 2016 ACEs We need to make sure a new provision as well as dbcheck --reset-well-known-acls include acls used by adprep 2016, otherwise we would undo the adprep result. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- python/samba/descriptor.py | 7 +++++++ testprogs/blackbox/dbcheck-oldrelease.sh | 8 ++------ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py index e2d1e38ccf9..5b911685db8 100644 --- a/python/samba/descriptor.py +++ b/python/samba/descriptor.py @@ -201,6 +201,13 @@ def get_domain_descriptor(domain_sid, name_map=None): "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)" \ "(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)" \ + "(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)" \ + "(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;CN)" \ + "(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)" \ + "(OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;KA)" \ + "(OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;EK)" \ + "(OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;PS)" \ + "(OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;CO)" \ "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \ "(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \ "(A;;RPRC;;;RU)" \ diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh index afd2d1247ce..b3450f75f20 100755 --- a/testprogs/blackbox/dbcheck-oldrelease.sh +++ b/testprogs/blackbox/dbcheck-oldrelease.sh @@ -408,14 +408,10 @@ dbcheck_clean() } # This should 'fail', because it returns the number of modified records. -# We don't need to run this against 4.1 releases +# We need to run this against all versions without adprep 2016 (before Samba 4.19) dbcheck_acl_reset() { - if [ x$RELEASE = x"release-4-0-0" -o x$RELEASE = x"alpha13" ]; then - $PYTHON $BINDIR/samba-tool dbcheck --reset-well-known-acls --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "$@" - else - return 1 - fi + $PYTHON $BINDIR/samba-tool dbcheck --reset-well-known-acls --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb "$@" } # But having fixed it all up, this should pass. # We don't need to run this against 4.1.0rc3 -- 2.11.4.GIT