From 649fb5b61492562f1400996a6ccf33af17af5b6b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 10 Dec 2012 11:32:07 +0100 Subject: [PATCH] s4:provision: set the correct nTSecurityDescriptor on CN=Partitions,CN=Configuration... (bug #9481) Signed-off-by: Stefan Metzmacher Reviewed-by: Michael Adam --- source4/scripting/python/samba/provision/__init__.py | 3 +++ source4/scripting/python/samba/provision/descriptor.py | 17 +++++++++++++++++ source4/setup/provision_configuration.ldif | 1 + 3 files changed, 21 insertions(+) diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index c3713c90570..63b1bd004db 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -79,6 +79,7 @@ from samba.provision.backend import ( from samba.provision.descriptor import ( get_empty_descriptor, get_config_descriptor, + get_config_partitions_descriptor, get_domain_descriptor ) from samba.provision.common import ( @@ -1255,6 +1256,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it if fill == FILL_FULL: logger.info("Setting up sam.ldb configuration data") + partitions_descr = b64encode(get_config_partitions_descriptor(domainsid)) setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), { "CONFIGDN": names.configdn, "NETBIOSNAME": names.netbiosname, @@ -1266,6 +1268,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, "SERVERDN": names.serverdn, "FOREST_FUNCTIONALITY": str(forestFunctionality), "DOMAIN_FUNCTIONALITY": str(domainFunctionality), + "PARTITIONS_DESCRIPTOR": partitions_descr, }) logger.info("Setting up display specifiers") diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py index 3bb24682629..dd1f62f86c0 100644 --- a/source4/scripting/python/samba/provision/descriptor.py +++ b/source4/scripting/python/samba/provision/descriptor.py @@ -57,6 +57,23 @@ def get_config_descriptor(domain_sid): sec = security.descriptor.from_sddl(sddl, domain_sid) return ndr_pack(sec) +def get_config_partitions_descriptor(domain_sid): + sddl = "D:" \ + "(A;;LCLORC;;;AU)" \ + "(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)" \ + "(OA;;RP;d31a8757-2447-4545-8081-3bb610cacbf2;;AU)" \ + "(OA;;RP;66171887-8f3c-11d0-afda-00c04fd930c9;;AU)" \ + "(OA;;RP;032160bf-9824-11d1-aec0-0000f80367c1;;AU)" \ + "(OA;;RP;789ee1eb-8c8e-4e4c-8cec-79b31b7617b5;;AU)" \ + "(OA;;RP;5706aeaf-b940-4fb2-bcfc-5268683ad9fe;;AU)" \ + "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \ + "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ + "(A;;CC;;;ED)" \ + "(OA;CIIO;WP;3df793df-9858-4417-a701-735a1ecebf74;bf967a8d-0de6-11d0-a285-00aa003049e2;BA)" \ + "S:" \ + "(AU;CISA;WPCRCCDCWOWDSDDT;;;WD)" + sec = security.descriptor.from_sddl(sddl, domain_sid) + return ndr_pack(sec) def get_domain_descriptor(domain_sid): sddl= "O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif index 9fab2b56720..cb5a251f7ff 100644 --- a/source4/setup/provision_configuration.ldif +++ b/source4/setup/provision_configuration.ldif @@ -1018,6 +1018,7 @@ objectClass: crossRefContainer systemFlags: -2147483648 msDS-Behavior-Version: ${FOREST_FUNCTIONALITY} showInAdvancedViewOnly: TRUE +nTSecurityDescriptor:: ${PARTITIONS_DESCRIPTOR} # Partitions for DNS are missing here, they are added from provision_dnszones.ldif -- 2.11.4.GIT