[SCM] Samba Shared Repository - branch master updated
Michael Adam
obnox at samba.org
Mon Dec 10 23:06:03 MST 2012
The branch, master has been updated
via 914a61d s4:provision: set the correct nTSecurityDescriptor on CN=Domain Controllers,... (bug #9481)
via 8eb359c s4:provision: set the correct nTSecurityDescriptor on CN=Users,... (bug #9481)
via 19b0383 s4:provision: set the correct nTSecurityDescriptor on CN=Computers,... (bug #9481)
via e1301fe s4:provision: set the correct nTSecurityDescriptor on CN=Builtin,... (bug #9481)
via ebb0a88 s4:provision: set the correct nTSecurityDescriptor on CN=Infrastructure,... (bug #9481)
via 999c068 s4:provision: set the correct nTSecurityDescriptor on CN=Sites,CN=Configuration... (bug #9481)
via 649fb5b s4:provision: set the correct nTSecurityDescriptor on CN=Partitions,CN=Configuration... (bug #9481)
via a97b5f2 s4:dsdb/descriptor: pass object_list to create_security_descriptor()
via d20c46a libcli/security: calculate the correct inherited_object GUID
via 75729e6 libcli/security: implement object_in_list()
from 1d949cb s3:auth: fix function header comment for user_sid_in_group_sid()
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 914a61d9e5b7a182592f3afe60f4dad1cd342fc4
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 11 03:15:26 2012 +0100
s4:provision: set the correct nTSecurityDescriptor on CN=Domain Controllers,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
Autobuild-User(master): Michael Adam <obnox at samba.org>
Autobuild-Date(master): Tue Dec 11 07:05:39 CET 2012 on sn-devel-104
commit 8eb359c23c6379be1ccc32e27fd2316d77a7c7b3
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 11 03:15:26 2012 +0100
s4:provision: set the correct nTSecurityDescriptor on CN=Users,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 19b03834f08c2a6645a31fe18121534c692c18d1
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 10 11:32:07 2012 +0100
s4:provision: set the correct nTSecurityDescriptor on CN=Computers,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit e1301fef735b305736db0b6db335c37aa9fea832
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 10 11:32:07 2012 +0100
s4:provision: set the correct nTSecurityDescriptor on CN=Builtin,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit ebb0a88722d416ad470497fd6ffa7b26abfe58bc
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 10 11:32:07 2012 +0100
s4:provision: set the correct nTSecurityDescriptor on CN=Infrastructure,... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 999c068113af6158355634eb9a9c4b5a4d3066d8
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 10 11:32:07 2012 +0100
s4:provision: set the correct nTSecurityDescriptor on CN=Sites,CN=Configuration... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 649fb5b61492562f1400996a6ccf33af17af5b6b
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 10 11:32:07 2012 +0100
s4:provision: set the correct nTSecurityDescriptor on CN=Partitions,CN=Configuration... (bug #9481)
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit a97b5f219678e409a851d9caf8317a6ef130c12f
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 11 02:01:12 2012 +0100
s4:dsdb/descriptor: pass object_list to create_security_descriptor()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit d20c46a520a7e39dd87476cd81edab56b5543892
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 11 03:17:42 2012 +0100
libcli/security: calculate the correct inherited_object GUID
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 75729e6703c5b5dff7feefed590086898fc03c74
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 11 02:00:38 2012 +0100
libcli/security: implement object_in_list()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
-----------------------------------------------------------------------
Summary of changes:
libcli/security/create_descriptor.c | 33 +++++-
source4/dsdb/samdb/ldb_modules/descriptor.c | 15 ++-
.../scripting/python/samba/provision/__init__.py | 31 ++++-
.../scripting/python/samba/provision/descriptor.py | 137 ++++++++++++++++++++
source4/setup/provision.ldif | 3 +
source4/setup/provision_computers_add.ldif | 1 +
source4/setup/provision_configuration.ldif | 2 +
source4/setup/provision_users_add.ldif | 1 +
8 files changed, 214 insertions(+), 9 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c
index 0cac2e4..42ca1a7 100644
--- a/libcli/security/create_descriptor.c
+++ b/libcli/security/create_descriptor.c
@@ -80,9 +80,30 @@ uint32_t map_generic_rights_ds(uint32_t access_mask)
* and it does not seem to have any influence */
static bool object_in_list(struct GUID *object_list, struct GUID *object)
{
- return true;
+ size_t i;
+
+ if (object_list == NULL) {
+ return true;
+ }
+
+ if (GUID_all_zero(object)) {
+ return true;
+ }
+
+ for (i=0; ; i++) {
+ if (GUID_all_zero(&object_list[i])) {
+ return false;
+ }
+ if (!GUID_equal(&object_list[i], object)) {
+ continue;
+ }
+
+ return true;
+ }
+
+ return false;
}
-
+
/* returns true if the ACE gontains generic information
* that needs to be processed additionally */
@@ -165,7 +186,13 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx,
if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) {
- if (!object_in_list(object_list, &ace->object.object.type.type)) {
+ struct GUID inherited_object = GUID_zero();
+
+ if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) {
+ inherited_object = ace->object.object.inherited_type.inherited_type;
+ }
+
+ if (!object_in_list(object_list, &inherited_object)) {
tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY;
}
diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
index 192c745..fb100f7 100644
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -249,9 +249,15 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
struct dom_sid *default_owner;
struct dom_sid *default_group;
struct security_descriptor *default_descriptor = NULL;
+ struct GUID *object_list = NULL;
if (objectclass != NULL) {
default_descriptor = get_sd_unpacked(module, mem_ctx, objectclass);
+ object_list = talloc_zero_array(mem_ctx, struct GUID, 2);
+ if (object_list == NULL) {
+ return NULL;
+ }
+ object_list[0] = objectclass->schemaIDGUID;
}
if (object) {
@@ -370,8 +376,13 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
default_owner = get_default_ag(mem_ctx, dn,
session_info->security_token, ldb);
default_group = get_default_group(mem_ctx, ldb, default_owner);
- new_sd = create_security_descriptor(mem_ctx, parent_descriptor, user_descriptor, true,
- NULL, SEC_DACL_AUTO_INHERIT|SEC_SACL_AUTO_INHERIT,
+ new_sd = create_security_descriptor(mem_ctx,
+ parent_descriptor,
+ user_descriptor,
+ true,
+ object_list,
+ SEC_DACL_AUTO_INHERIT |
+ SEC_SACL_AUTO_INHERIT,
session_info->security_token,
default_owner, default_group,
map_generic_rights_ds);
diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py
index c3713c9..e6ea855 100644
--- a/source4/scripting/python/samba/provision/__init__.py
+++ b/source4/scripting/python/samba/provision/__init__.py
@@ -79,7 +79,14 @@ from samba.provision.backend import (
from samba.provision.descriptor import (
get_empty_descriptor,
get_config_descriptor,
- get_domain_descriptor
+ get_config_partitions_descriptor,
+ get_config_sites_descriptor,
+ get_domain_descriptor,
+ get_domain_infrastructure_descriptor,
+ get_domain_builtin_descriptor,
+ get_domain_computers_descriptor,
+ get_domain_users_descriptor,
+ get_domain_controllers_descriptor
)
from samba.provision.common import (
setup_path,
@@ -1255,6 +1262,8 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
# If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
if fill == FILL_FULL:
logger.info("Setting up sam.ldb configuration data")
+ partitions_descr = b64encode(get_config_partitions_descriptor(domainsid))
+ sites_descr = b64encode(get_config_sites_descriptor(domainsid))
setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), {
"CONFIGDN": names.configdn,
"NETBIOSNAME": names.netbiosname,
@@ -1266,6 +1275,8 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
"SERVERDN": names.serverdn,
"FOREST_FUNCTIONALITY": str(forestFunctionality),
"DOMAIN_FUNCTIONALITY": str(domainFunctionality),
+ "PARTITIONS_DESCRIPTOR": partitions_descr,
+ "SITES_DESCRIPTOR": sites_descr,
})
logger.info("Setting up display specifiers")
@@ -1277,19 +1288,28 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
samdb.add_ldif(display_specifiers_ldif)
logger.info("Adding users container")
+ users_desc = b64encode(get_domain_users_descriptor(domainsid))
setup_add_ldif(samdb, setup_path("provision_users_add.ldif"), {
- "DOMAINDN": names.domaindn})
+ "DOMAINDN": names.domaindn,
+ "USERS_DESCRIPTOR": users_desc
+ })
logger.info("Modifying users container")
setup_modify_ldif(samdb, setup_path("provision_users_modify.ldif"), {
"DOMAINDN": names.domaindn})
logger.info("Adding computers container")
+ computers_desc = b64encode(get_domain_computers_descriptor(domainsid))
setup_add_ldif(samdb, setup_path("provision_computers_add.ldif"), {
- "DOMAINDN": names.domaindn})
+ "DOMAINDN": names.domaindn,
+ "COMPUTERS_DESCRIPTOR": computers_desc
+ })
logger.info("Modifying computers container")
setup_modify_ldif(samdb,
setup_path("provision_computers_modify.ldif"), {
"DOMAINDN": names.domaindn})
logger.info("Setting up sam.ldb data")
+ infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(domainsid))
+ builtin_desc = b64encode(get_domain_builtin_descriptor(domainsid))
+ controllers_desc = b64encode(get_domain_controllers_descriptor(domainsid))
setup_add_ldif(samdb, setup_path("provision.ldif"), {
"CREATTIME": str(samba.unix2nttime(int(time.time()))),
"DOMAINDN": names.domaindn,
@@ -1298,7 +1318,10 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
"CONFIGDN": names.configdn,
"SERVERDN": names.serverdn,
"RIDAVAILABLESTART": str(next_rid + 600),
- "POLICYGUID_DC": policyguid_dc
+ "POLICYGUID_DC": policyguid_dc,
+ "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc,
+ "BUILTIN_DESCRIPTOR": builtin_desc,
+ "DOMAIN_CONTROLLERS_DESCRIPTOR": controllers_desc,
})
# If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py
index 3bb2468..adf7579 100644
--- a/source4/scripting/python/samba/provision/descriptor.py
+++ b/source4/scripting/python/samba/provision/descriptor.py
@@ -57,6 +57,38 @@ def get_config_descriptor(domain_sid):
sec = security.descriptor.from_sddl(sddl, domain_sid)
return ndr_pack(sec)
+def get_config_partitions_descriptor(domain_sid):
+ sddl = "D:" \
+ "(A;;LCLORC;;;AU)" \
+ "(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)" \
+ "(OA;;RP;d31a8757-2447-4545-8081-3bb610cacbf2;;AU)" \
+ "(OA;;RP;66171887-8f3c-11d0-afda-00c04fd930c9;;AU)" \
+ "(OA;;RP;032160bf-9824-11d1-aec0-0000f80367c1;;AU)" \
+ "(OA;;RP;789ee1eb-8c8e-4e4c-8cec-79b31b7617b5;;AU)" \
+ "(OA;;RP;5706aeaf-b940-4fb2-bcfc-5268683ad9fe;;AU)" \
+ "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \
+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+ "(A;;CC;;;ED)" \
+ "(OA;CIIO;WP;3df793df-9858-4417-a701-735a1ecebf74;bf967a8d-0de6-11d0-a285-00aa003049e2;BA)" \
+ "S:" \
+ "(AU;CISA;WPCRCCDCWOWDSDDT;;;WD)"
+ sec = security.descriptor.from_sddl(sddl, domain_sid)
+ return ndr_pack(sec)
+
+def get_config_sites_descriptor(domain_sid):
+ sddl = "D:" \
+ "(A;;RPLCLORC;;;AU)" \
+ "(OA;CIIO;SW;d31a8757-2447-4545-8081-3bb610cacbf2;f0f8ffab-1191-11d0-a060-00aa006c33ed;ER)" \
+ "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \
+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+ "S:" \
+ "(AU;CISA;CCDCSDDT;;;WD)" \
+ "(OU;CIIOSA;CR;;f0f8ffab-1191-11d0-a060-00aa006c33ed;WD)" \
+ "(OU;CIIOSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)" \
+ "(OU;CIIOSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)" \
+ "(OU;CIIOSA;WP;3e10944c-c354-11d0-aff8-0000f80367c1;b7b13124-b82e-11d0-afee-0000f80367c1;WD)"
+ sec = security.descriptor.from_sddl(sddl, domain_sid)
+ return ndr_pack(sec)
def get_domain_descriptor(domain_sid):
sddl= "O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
@@ -111,6 +143,111 @@ def get_domain_descriptor(domain_sid):
sec = security.descriptor.from_sddl(sddl, domain_sid)
return ndr_pack(sec)
+def get_domain_infrastructure_descriptor(domain_sid):
+ sddl = "D:" \
+ "(A;;RPLCLORC;;;AU)" \
+ "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \
+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+ "S:" \
+ "(AU;SA;WPCR;;;WD)"
+ sec = security.descriptor.from_sddl(sddl, domain_sid)
+ return ndr_pack(sec)
+
+def get_domain_builtin_descriptor(domain_sid):
+ sddl = "D:" \
+ "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+ "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+ "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+ "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+ "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+ "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+ "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+ "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+ "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+ "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \
+ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)" \
+ "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)" \
+ "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)" \
+ "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)" \
+ "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \
+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+ "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+ "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+ "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+ "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;IF)" \
+ "(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)" \
+ "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)" \
+ "(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+ "(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)" \
+ "(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+ "(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)" \
+ "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \
+ "(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)" \
+ "(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)" \
+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+ "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+ "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+ "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+ "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)" \
+ "(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)" \
+ "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \
+ "(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \
+ "(A;;RPRC;;;RU)" \
+ "(A;CI;LC;;;RU)" \
+ "(A;CI;RPWPCRCCLCLORCWOWDSDSW;;;BA)" \
+ "(A;;RP;;;WD)" \
+ "(A;;RPLCLORC;;;ED)" \
+ "(A;;RPLCLORC;;;AU)" \
+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+ "S:" \
+ "(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \
+ "(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \
+ "(AU;SA;CR;;;DU)" \
+ "(AU;SA;CR;;;BA)" \
+ "(AU;SA;WPWOWD;;;WD)"
+ sec = security.descriptor.from_sddl(sddl, domain_sid)
+ return ndr_pack(sec)
+
+def get_domain_computers_descriptor(domain_sid):
+ sddl = "D:" \
+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+ "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \
+ "(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)" \
+ "(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)" \
+ "(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)" \
+ "(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)" \
+ "(A;;RPLCLORC;;;AU)" \
+ "(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)" \
+ "S:"
+ sec = security.descriptor.from_sddl(sddl, domain_sid)
+ return ndr_pack(sec)
+
+def get_domain_users_descriptor(domain_sid):
+ sddl = "D:" \
+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+ "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \
+ "(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)" \
+ "(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)" \
+ "(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)" \
+ "(A;;RPLCLORC;;;AU)" \
+ "(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)" \
+ "S:"
+ sec = security.descriptor.from_sddl(sddl, domain_sid)
+ return ndr_pack(sec)
+
+def get_domain_controllers_descriptor(domain_sid):
+ sddl = "D:" \
+ "(A;;RPLCLORC;;;AU)" \
+ "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \
+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+ "(A;;RPLCLORC;;;ED)" \
+ "S:" \
+ "(AU;SA;CCDCWOWDSDDT;;;WD)" \
+ "(AU;CISA;WP;;;WD)"
+ sec = security.descriptor.from_sddl(sddl, domain_sid)
+ return ndr_pack(sec)
def get_dns_partition_descriptor(domainsid):
sddl = "O:SYG:BAD:AI" \
diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif
index 2db01f9..51e56ff 100644
--- a/source4/setup/provision.ldif
+++ b/source4/setup/provision.ldif
@@ -24,6 +24,7 @@ serverState: 1
showInAdvancedViewOnly: FALSE
systemFlags: -1946157056
uASCompat: 1
+nTSecurityDescriptor:: ${BUILTIN_DESCRIPTOR}
dn: CN=Deleted Objects,${DOMAINDN}
objectClass: top
@@ -45,6 +46,7 @@ systemFlags: -1946157056
isCriticalSystemObject: TRUE
showInAdvancedViewOnly: FALSE
gPLink: [LDAP://CN={${POLICYGUID_DC}},CN=Policies,CN=System,${DOMAINDN};0]
+nTSecurityDescriptor:: ${DOMAIN_CONTROLLERS_DESCRIPTOR}
# Joined DC located in "provision_self_join.ldif"
@@ -63,6 +65,7 @@ objectClass: top
objectClass: infrastructureUpdate
systemFlags: -1946157056
isCriticalSystemObject: TRUE
+nTSecurityDescriptor:: ${INFRASTRUCTURE_DESCRIPTOR}
dn: CN=LostAndFound,${DOMAINDN}
objectClass: top
diff --git a/source4/setup/provision_computers_add.ldif b/source4/setup/provision_computers_add.ldif
index 6db3f41..45e2aa4 100644
--- a/source4/setup/provision_computers_add.ldif
+++ b/source4/setup/provision_computers_add.ldif
@@ -1,3 +1,4 @@
dn: CN=Computers,${DOMAINDN}
objectClass: top
objectClass: container
+nTSecurityDescriptor:: ${COMPUTERS_DESCRIPTOR}
diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif
index 9fab2b5..1d818ef 100644
--- a/source4/setup/provision_configuration.ldif
+++ b/source4/setup/provision_configuration.ldif
@@ -1018,6 +1018,7 @@ objectClass: crossRefContainer
systemFlags: -2147483648
msDS-Behavior-Version: ${FOREST_FUNCTIONALITY}
showInAdvancedViewOnly: TRUE
+nTSecurityDescriptor:: ${PARTITIONS_DESCRIPTOR}
# Partitions for DNS are missing here, they are added from provision_dnszones.ldif
@@ -1194,6 +1195,7 @@ dn: CN=Sites,${CONFIGDN}
objectClass: top
objectClass: sitesContainer
systemFlags: -2113929216
+ntSecurityDescriptor:: ${SITES_DESCRIPTOR}
dn: CN=${DEFAULTSITE},CN=Sites,${CONFIGDN}
objectClass: top
diff --git a/source4/setup/provision_users_add.ldif b/source4/setup/provision_users_add.ldif
index db075d9..d5f76ed 100644
--- a/source4/setup/provision_users_add.ldif
+++ b/source4/setup/provision_users_add.ldif
@@ -1,3 +1,4 @@
dn: CN=Users,${DOMAINDN}
objectClass: top
objectClass: container
+nTSecurityDescriptor:: ${USERS_DESCRIPTOR}
--
Samba Shared Repository
More information about the samba-cvs
mailing list