From 5cf98823cc804906833f7ea763f99de0147b0fee Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Jan 2013 16:27:17 +0100
Subject: [PATCH] provision: fix nTSecurityDescriptor of containers in the
 DnsZones (bug #9481)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 .../scripting/python/samba/provision/sambadns.py   | 30 ++++++++++++++--------
 source4/setup/provision_dnszones_add.ldif          |  4 +++
 2 files changed, 23 insertions(+), 11 deletions(-)

diff --git a/source4/scripting/python/samba/provision/sambadns.py b/source4/scripting/python/samba/provision/sambadns.py
index a66fde14259..740dd384176 100644
--- a/source4/scripting/python/samba/provision/sambadns.py
+++ b/source4/scripting/python/samba/provision/sambadns.py
@@ -37,7 +37,11 @@ from samba.dsdb import (
     )
 from samba.provision.descriptor import (
     get_domain_descriptor,
-    get_dns_partition_descriptor
+    get_domain_delete_protected1_descriptor,
+    get_domain_delete_protected2_descriptor,
+    get_dns_partition_descriptor,
+    get_dns_forest_microsoft_dns_descriptor,
+    get_dns_domain_microsoft_dns_descriptor
     )
 from samba.provision.common import (
     setup_path,
@@ -244,6 +248,8 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
     domainzone_dns = ldb.Dn(samdb, domainzone_dn).canonical_ex_str().strip()
     forestzone_dns = ldb.Dn(samdb, forestzone_dn).canonical_ex_str().strip()
 
+    protected1_desc = get_domain_delete_protected1_descriptor(domainsid)
+    protected2_desc = get_domain_delete_protected2_descriptor(domainsid)
     setup_add_ldif(samdb, setup_path("provision_dnszones_add.ldif"), {
         "DOMAINZONE_DN": domainzone_dn,
         "FORESTZONE_DN": forestzone_dn,
@@ -253,6 +259,8 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
         "FORESTZONE_DNS": forestzone_dns,
         "CONFIGDN": configdn,
         "SERVERDN": serverdn,
+        "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc),
+        "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc),
         })
 
     setup_modify_ldif(samdb, setup_path("provision_dnszones_modify.ldif"), {
@@ -269,18 +277,18 @@ def add_dns_accounts(samdb, domaindn):
         })
 
 
-def add_dns_container(samdb, domaindn, prefix, domainsid, dnsadmins_sid):
+def add_dns_container(samdb, domaindn, prefix, domain_sid, dnsadmins_sid, forest=False):
+    name_map = {'DnsAdmins': str(dnsadmins_sid)}
+    if forest is True:
+        sd_val = get_dns_forest_microsoft_dns_descriptor(domain_sid,
+                                                         name_map=name_map)
+    else:
+        sd_val = get_dns_domain_microsoft_dns_descriptor(domain_sid,
+                                                         name_map=name_map)
     # CN=MicrosoftDNS,<PREFIX>,<DOMAINDN>
-    sddl = "O:SYG:SYD:AI" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" \
-    "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;%s)" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
-    "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)" \
-    "S:AI" % dnsadmins_sid
-    sec = security.descriptor.from_sddl(sddl, domainsid)
     msg = ldb.Message(ldb.Dn(samdb, "CN=MicrosoftDNS,%s,%s" % (prefix, domaindn)))
     msg["objectClass"] = ["top", "container"]
-    msg["nTSecurityDescriptor"] = ldb.MessageElement(ndr_pack(sec), ldb.FLAG_MOD_ADD,
+    msg["nTSecurityDescriptor"] = ldb.MessageElement(sd_val, ldb.FLAG_MOD_ADD,
         "nTSecurityDescriptor")
     samdb.add(msg)
 
@@ -942,7 +950,7 @@ def create_dns_partitions(samdb, domainsid, names, domaindn, forestdn,
     add_dns_container(samdb, domaindn, "DC=DomainDnsZones", domainsid,
                       dnsadmins_sid)
     add_dns_container(samdb, forestdn, "DC=ForestDnsZones", domainsid,
-                      dnsadmins_sid)
+                      dnsadmins_sid, forest=True)
 
 
 def fill_dns_data_partitions(samdb, domainsid, site, domaindn, forestdn,
diff --git a/source4/setup/provision_dnszones_add.ldif b/source4/setup/provision_dnszones_add.ldif
index bd97bb9aacd..bf872f0b64d 100644
--- a/source4/setup/provision_dnszones_add.ldif
+++ b/source4/setup/provision_dnszones_add.ldif
@@ -14,12 +14,14 @@ objectClass: top
 objectClass: lostAndFound
 isCriticalSystemObject: TRUE
 systemFlags: -1946157056
+nTSecurityDescriptor:: ${LOSTANDFOUND_DESCRIPTOR}
 
 dn: CN=Infrastructure,${DOMAINZONE_DN}
 objectClass: top
 objectClass: infrastructureUpdate
 isCriticalSystemObject: TRUE
 systemFlags: -1946157056
+nTSecurityDescriptor:: ${INFRASTRUCTURE_DESCRIPTOR}
 
 dn: CN=NTDS Quotas,${DOMAINZONE_DN}
 objectClass: top
@@ -41,12 +43,14 @@ objectClass: top
 objectClass: lostAndFound
 isCriticalSystemObject: TRUE
 systemFlags: -1946157056
+nTSecurityDescriptor:: ${LOSTANDFOUND_DESCRIPTOR}
 
 dn: CN=Infrastructure,${FORESTZONE_DN}
 objectClass: top
 objectClass: infrastructureUpdate
 isCriticalSystemObject: TRUE
 systemFlags: -1946157056
+nTSecurityDescriptor:: ${INFRASTRUCTURE_DESCRIPTOR}
 
 dn: CN=NTDS Quotas,${FORESTZONE_DN}
 objectClass: top
-- 
2.11.4.GIT