From a477649e568577875be577c70a6b25cbeea6985a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 23 Jan 2013 16:27:17 +0100 Subject: [PATCH] provision: fix nTSecurityDescriptor attributes of CN=*,${CONFIGDN} (bug #9481) Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- .../scripting/python/samba/provision/__init__.py | 21 +++++++++++++++++++++ source4/setup/provision_configuration.ldif | 6 ++++++ source4/setup/provision_configuration_modify.ldif | 6 ++++++ source4/setup/provision_well_known_sec_princ.ldif | 1 + 4 files changed, 34 insertions(+) create mode 100644 source4/setup/provision_configuration_modify.ldif diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index cd29e0c95ce..8f4928ce2b1 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -1298,8 +1298,14 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it if fill == FILL_FULL: logger.info("Setting up sam.ldb configuration data") + partitions_descr = b64encode(get_config_partitions_descriptor(domainsid)) sites_descr = b64encode(get_config_sites_descriptor(domainsid)) + ntdsquotas_descr = b64encode(get_config_ntds_quotas_descriptor(domainsid)) + protected1_descr = b64encode(get_config_delete_protected1_descriptor(domainsid)) + protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(domainsid)) + protected2_descr = b64encode(get_config_delete_protected2_descriptor(domainsid)) + setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), { "CONFIGDN": names.configdn, "NETBIOSNAME": names.netbiosname, @@ -1311,6 +1317,12 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, "SERVERDN": names.serverdn, "FOREST_FUNCTIONALITY": str(forestFunctionality), "DOMAIN_FUNCTIONALITY": str(domainFunctionality), + "NTDSQUOTAS_DESCRIPTOR": ntdsquotas_descr, + "LOSTANDFOUND_DESCRIPTOR": protected1wd_descr, + "SERVICES_DESCRIPTOR": protected1_descr, + "PHYSICALLOCATIONS_DESCRIPTOR": protected1wd_descr, + "FORESTUPDATES_DESCRIPTOR": protected1wd_descr, + "EXTENDEDRIGHTS_DESCRIPTOR": protected2_descr, "PARTITIONS_DESCRIPTOR": partitions_descr, "SITES_DESCRIPTOR": sites_descr, }) @@ -1323,6 +1335,13 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, check_all_substituted(display_specifiers_ldif) samdb.add_ldif(display_specifiers_ldif) + logger.info("Modifying display specifiers") + setup_modify_ldif(samdb, + setup_path("provision_configuration_modify.ldif"), { + "CONFIGDN": names.configdn, + "DISPLAYSPECIFIERS_DESCRIPTOR": protected2_descr + }) + logger.info("Adding users container") users_desc = b64encode(get_domain_users_descriptor(domainsid)) setup_add_ldif(samdb, setup_path("provision_users_add.ldif"), { @@ -1372,8 +1391,10 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, "SCHEMADN": names.schemadn}) logger.info("Setting up well known security principals") + protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(domainsid)) setup_add_ldif(samdb, setup_path("provision_well_known_sec_princ.ldif"), { "CONFIGDN": names.configdn, + "WELLKNOWNPRINCIPALS_DESCRIPTOR": protected1wd_descr, }) if fill == FILL_FULL or fill == FILL_SUBDOMAIN: diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif index 1d818ef95cf..42de84afade 100644 --- a/source4/setup/provision_configuration.ldif +++ b/source4/setup/provision_configuration.ldif @@ -21,6 +21,7 @@ dn: CN=Extended-Rights,${CONFIGDN} objectClass: top objectClass: container systemFlags: -2147483648 +nTSecurityDescriptor:: ${EXTENDEDRIGHTS_DESCRIPTOR} dn: CN=Change-Rid-Master,CN=Extended-Rights,${CONFIGDN} objectClass: top @@ -706,6 +707,7 @@ validAccesses: 48 dn: CN=ForestUpdates,${CONFIGDN} objectClass: top objectClass: container +nTSecurityDescriptor:: ${FORESTUPDATES_DESCRIPTOR} dn: CN=ActiveDirectoryRodcUpdate,CN=ForestUpdates,${CONFIGDN} objectClass: top @@ -1001,6 +1003,7 @@ dn: CN=LostAndFoundConfig,${CONFIGDN} objectClass: top objectClass: lostAndFound systemFlags: -2147483648 +nTSecurityDescriptor:: ${LOSTANDFOUND_DESCRIPTOR} dn: CN=NTDS Quotas,${CONFIGDN} objectClass: top @@ -1009,6 +1012,7 @@ description: Quota specifications container isCriticalSystemObject: TRUE msDS-TombstoneQuotaFactor: 100 systemFlags: -2147483648 +nTSecurityDescriptor:: ${NTDSQUOTAS_DESCRIPTOR} # Partitions @@ -1053,6 +1057,7 @@ objectClass: top objectClass: locality objectClass: physicalLocation l: Physical Locations tree root +nTSecurityDescriptor:: ${PHYSICALLOCATIONS_DESCRIPTOR} # Schema located in "ad-schema/*.txt" @@ -1062,6 +1067,7 @@ dn: CN=Services,${CONFIGDN} objectClass: top objectClass: container systemFlags: -2147483648 +nTSecurityDescriptor:: ${SERVICES_DESCRIPTOR} dn: CN=MsmqServices,CN=Services,${CONFIGDN} objectClass: top diff --git a/source4/setup/provision_configuration_modify.ldif b/source4/setup/provision_configuration_modify.ldif new file mode 100644 index 00000000000..6840604f676 --- /dev/null +++ b/source4/setup/provision_configuration_modify.ldif @@ -0,0 +1,6 @@ +dn: CN=DisplaySpecifiers,${CONFIGDN} +changetype: modify +- +replace: nTSecurityDescriptor +nTSecurityDescriptor:: ${DISPLAYSPECIFIERS_DESCRIPTOR} +- diff --git a/source4/setup/provision_well_known_sec_princ.ldif b/source4/setup/provision_well_known_sec_princ.ldif index 54691bd7964..1817382a693 100644 --- a/source4/setup/provision_well_known_sec_princ.ldif +++ b/source4/setup/provision_well_known_sec_princ.ldif @@ -4,6 +4,7 @@ dn: CN=WellKnown Security Principals,${CONFIGDN} objectClass: top objectClass: container systemFlags: -2147483648 +nTSecurityDescriptor:: ${WELLKNOWNPRINCIPALS_DESCRIPTOR} dn: CN=Anonymous Logon,CN=WellKnown Security Principals,${CONFIGDN} objectClass: top -- 2.11.4.GIT