From ebb0a88722d416ad470497fd6ffa7b26abfe58bc Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 10 Dec 2012 11:32:07 +0100
Subject: [PATCH] s4:provision: set the correct nTSecurityDescriptor on
 CN=Infrastructure,... (bug #9481)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
---
 source4/scripting/python/samba/provision/__init__.py   | 7 +++++--
 source4/scripting/python/samba/provision/descriptor.py | 9 +++++++++
 source4/setup/provision.ldif                           | 1 +
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py
index 5e80d63d4a9..74288c1347d 100644
--- a/source4/scripting/python/samba/provision/__init__.py
+++ b/source4/scripting/python/samba/provision/__init__.py
@@ -81,7 +81,8 @@ from samba.provision.descriptor import (
     get_config_descriptor,
     get_config_partitions_descriptor,
     get_config_sites_descriptor,
-    get_domain_descriptor
+    get_domain_descriptor,
+    get_domain_infrastructure_descriptor,
     )
 from samba.provision.common import (
     setup_path,
@@ -1296,6 +1297,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
             setup_path("provision_computers_modify.ldif"), {
                 "DOMAINDN": names.domaindn})
         logger.info("Setting up sam.ldb data")
+        infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(domainsid))
         setup_add_ldif(samdb, setup_path("provision.ldif"), {
             "CREATTIME": str(samba.unix2nttime(int(time.time()))),
             "DOMAINDN": names.domaindn,
@@ -1304,7 +1306,8 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
             "CONFIGDN": names.configdn,
             "SERVERDN": names.serverdn,
             "RIDAVAILABLESTART": str(next_rid + 600),
-            "POLICYGUID_DC": policyguid_dc
+            "POLICYGUID_DC": policyguid_dc,
+            "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc,
             })
 
         # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py
index 2deb5500734..db38e19a3e7 100644
--- a/source4/scripting/python/samba/provision/descriptor.py
+++ b/source4/scripting/python/samba/provision/descriptor.py
@@ -143,6 +143,15 @@ def get_domain_descriptor(domain_sid):
     sec = security.descriptor.from_sddl(sddl, domain_sid)
     return ndr_pack(sec)
 
+def get_domain_infrastructure_descriptor(domain_sid):
+    sddl = "D:" \
+    "(A;;RPLCLORC;;;AU)" \
+    "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+    "S:" \
+    "(AU;SA;WPCR;;;WD)"
+    sec = security.descriptor.from_sddl(sddl, domain_sid)
+    return ndr_pack(sec)
 
 def get_dns_partition_descriptor(domainsid):
     sddl = "O:SYG:BAD:AI" \
diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif
index 2db01f9bb94..0dcb7d41cd3 100644
--- a/source4/setup/provision.ldif
+++ b/source4/setup/provision.ldif
@@ -63,6 +63,7 @@ objectClass: top
 objectClass: infrastructureUpdate
 systemFlags: -1946157056
 isCriticalSystemObject: TRUE
+nTSecurityDescriptor:: ${INFRASTRUCTURE_DESCRIPTOR}
 
 dn: CN=LostAndFound,${DOMAINDN}
 objectClass: top
-- 
2.11.4.GIT