From e0ad19daa59415923d61882d7529d4f95aa15518 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 13 Dec 2012 12:56:37 +0100
Subject: [PATCH] s4:samba_upgradeprovision: fix the nTSecurityDescriptor on
 more containers (bug #9481)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source4/scripting/bin/samba_upgradeprovision |   75 ++++++++++++++------------
 1 file changed, 41 insertions(+), 34 deletions(-)

diff --git a/source4/scripting/bin/samba_upgradeprovision b/source4/scripting/bin/samba_upgradeprovision
index 7060b73..5a4a701 100755
--- a/source4/scripting/bin/samba_upgradeprovision
+++ b/source4/scripting/bin/samba_upgradeprovision
@@ -47,6 +47,13 @@ from samba import param, dsdb, Ldb
 from samba.common import confirm
 from samba.provision import (get_domain_descriptor, find_provision_key_parameters,
                             get_config_descriptor, get_empty_descriptor,
+                            get_domain_infrastructure_descriptor,
+                            get_domain_builtin_descriptor,
+                            get_domain_computers_descriptor,
+                            get_domain_users_descriptor,
+                            get_domain_controllers_descriptor,
+                            get_config_partitions_descriptor,
+                            get_config_sites_descriptor,
                             ProvisioningError, get_last_provision_usn,
                             get_max_usn, update_provision_usn, setup_path)
 from samba.schema import get_linked_attributes, Schema, get_schema_descriptor
@@ -1269,8 +1276,8 @@ def check_updated_sd(ref_sam, cur_sam, names):
 
 
 
-def fix_partition_sd(samdb, names):
-    """This function fix the SD for partition containers (basedn, configdn, ...)
+def fix_wellknown_sd(samdb, names):
+    """This function fix the SD for partition/wellknown containers (basedn, configdn, ...)
     This is needed because some provision use to have broken SD on containers
 
     :param samdb: An LDB object pointing to the sam of the current provision
@@ -1280,34 +1287,35 @@ def fix_partition_sd(samdb, names):
     if len(dnToRecalculate) == 0 and len(dnNotToRecalculate) == 0:
         alwaysRecalculate = True
 
+    list_wellknown_dns = []
+
+    # Then subcontainers
+    subcontainers = { \
+        "%s" % str(names.rootdn) : get_domain_descriptor,
+        "CN=Infrastructure,%s" % str(names.rootdn) : get_domain_infrastructure_descriptor,
+        "CN=Builtin,%s" % str(names.rootdn) : get_domain_builtin_descriptor,
+        "CN=Computers,%s" % str(names.rootdn) : get_domain_computers_descriptor,
+        "CN=Users,%s" % str(names.rootdn) : get_domain_users_descriptor,
+        "OU=Domain Controllers,%s" % str(names.rootdn) : get_domain_controllers_descriptor,
+
+        "%s" % str(names.configdn) : get_config_descriptor,
+        "CN=Partitions,%s" % str(names.configdn) : get_config_partitions_descriptor,
+        "CN=Sites,%s" % str(names.configdn) : get_config_sites_descriptor,
+
+        "%s" % str(names.schemadn) : get_schema_descriptor,
+    }
+
+    for [dn, descriptor_fn] in subcontainers.items():
+        list_wellknown_dns.append(dn)
+        if alwaysRecalculate or dn in dnToRecalculate:
+            delta = Message()
+            delta.dn = Dn(samdb, str(dn))
+            descr = descriptor_fn(names.domainsid)
+            delta["nTSecurityDescriptor"] = MessageElement(descr, FLAG_MOD_REPLACE,
+                                                            "nTSecurityDescriptor" )
+            samdb.modify(delta)
 
-    # NC's DN can't be both in dnToRecalculate and dnNotToRecalculate
-    # First update the SD for the rootdn
-    if alwaysRecalculate or str(names.rootdn) in dnToRecalculate:
-        delta = Message()
-        delta.dn = Dn(samdb, str(names.rootdn))
-        descr = get_domain_descriptor(names.domainsid)
-        delta["nTSecurityDescriptor"] = MessageElement(descr, FLAG_MOD_REPLACE,
-                                                        "nTSecurityDescriptor")
-        samdb.modify(delta)
-
-    # Then the config dn
-    if alwaysRecalculate or str(names.configdn) in dnToRecalculate:
-        delta = Message()
-        delta.dn = Dn(samdb, str(names.configdn))
-        descr = get_config_descriptor(names.domainsid)
-        delta["nTSecurityDescriptor"] = MessageElement(descr, FLAG_MOD_REPLACE,
-                                                        "nTSecurityDescriptor" )
-        samdb.modify(delta)
-
-    # Then the schema dn
-    if alwaysRecalculate or str(names.schemadn) in dnToRecalculate:
-        delta = Message()
-        delta.dn = Dn(samdb, str(names.schemadn))
-        descr = get_schema_descriptor(names.domainsid)
-        delta["nTSecurityDescriptor"] = MessageElement(descr, FLAG_MOD_REPLACE,
-                                                        "nTSecurityDescriptor" )
-        samdb.modify(delta)
+    return list_wellknown_dns
 
 def rebuild_sd(samdb, names):
     """Rebuild security descriptor of the current provision from scratch
@@ -1320,10 +1328,8 @@ def rebuild_sd(samdb, names):
 
     :param names: List of key provision parameters"""
 
-    fix_partition_sd(samdb, names)
+    listWellknown = fix_wellknown_sd(samdb, names)
 
-    # List of namming contexts
-    listNC = [str(names.rootdn), str(names.configdn), str(names.schemadn)]
     hash = {}
     if len(dnToRecalculate) == 0:
         res = samdb.search(expression="objectClass=*", base=str(names.rootdn),
@@ -1350,8 +1356,9 @@ def rebuild_sd(samdb, names):
                             % (len(dnToRecalculate), len(listKeys)))
 
     for key in listKeys:
-        if (key in listNC or
-                    key in dnNotToRecalculate):
+        if key in listWellknown:
+            continue
+        if key in dnNotToRecalculate:
             continue
         delta = Message()
         delta.dn = Dn(samdb, key)
-- 
1.7.9.5