[SAMBA 4] Patches for "systemFlags"

Andrew Bartlett abartlet at samba.org
Tue Jun 30 02:30:50 MDT 2009 

On Tue, 2009-06-30 at 10:01 +0200, Matthias Dieter Wallnöfer wrote:
> Here the mentioned patches.
> 
> Matthias

Thankyou very much.  I do have a few comments, which is why I asked for
you to post these here:

> plain text document attachment (ldapV2.patch)
> diff --git a/source4/setup/provision_rootdse_add.ldif b/source4/setup/provision_rootdse_add.ldif
> index a5319f6..e4e4309 100644
> --- a/source4/setup/provision_rootdse_add.ldif
> +++ b/source4/setup/provision_rootdse_add.ldif
> @@ -7,6 +7,7 @@ rootDomainNamingContext: ${ROOTDN}
>  configurationNamingContext: ${CONFIGDN}
>  schemaNamingContext: ${SCHEMADN}
>  supportedLDAPVersion: 3
> +supportedLDAPVersion: 2
>  dnsHostName: ${DNSNAME}
>  ldapServiceName: ${DNSDOMAIN}:${NETBIOSNAME}$@${REALM}
>  serverName: ${SERVERDN}
> plain text document attachment (ldif.patch)
> diff --git a/source4/setup/display_specifiers.ldif b/source4/setup/display_specifiers.ldif
> index 669a153..dc76077 100644
> --- a/source4/setup/display_specifiers.ldif
> +++ b/source4/setup/display_specifiers.ldif
> @@ -1,6 +1,8 @@
>  dn: CN=DisplaySpecifiers,${CONFIGDN}
>  objectClass: top
>  objectClass: container
> +objectVersion: 1

Were we just missing the objectVersion before?  Or is it a new thing in
later versions of Windows?

> +systemFlags: -2147483648
>  
>  dn: CN=409,CN=DisplaySpecifiers,${CONFIGDN}
>  objectClass: top
> diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif
> index 1afe72f..e5b20d0 100644
> --- a/source4/setup/provision.ldif
> +++ b/source4/setup/provision.ldif
> @@ -3,7 +3,7 @@ objectClass: top
>  objectClass: organizationalUnit
>  cn: Domain Controllers
>  description: Default container for domain controllers
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  isCriticalSystemObject: TRUE
>  showInAdvancedViewOnly: FALSE
>  
> @@ -12,7 +12,7 @@ objectClass: top
>  objectClass: container
>  cn: ForeignSecurityPrincipals
>  description: Default container for security identifiers (SIDs) associated with objects from external, trusted domains
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  isCriticalSystemObject: TRUE
>  showInAdvancedViewOnly: FALSE
>  
> @@ -21,14 +21,14 @@ objectClass: top
>  objectClass: container
>  cn: System
>  description: Builtin system settings
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  isCriticalSystemObject: TRUE
>  
>  dn: CN=RID Manager$,CN=System,${DOMAINDN}
>  objectclass: top
>  objectclass: rIDManager
>  cn: RID Manager$
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  isCriticalSystemObject: TRUE
>  fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
>  rIDAvailablePool: 4611686014132423217
> @@ -48,7 +48,7 @@ dn: CN=Infrastructure,${DOMAINDN}
>  objectclass: top
>  objectclass: infrastructureUpdate
>  cn: Infrastructure
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  isCriticalSystemObject: TRUE
>  fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
>  
> @@ -56,7 +56,7 @@ dn: CN=Builtin,${DOMAINDN}
>  objectClass: top
>  objectClass: builtinDomain
>  cn: Builtin
> -forceLogoff: 9223372036854775808
> +forceLogoff: -9223372036854775808
>  lockoutDuration: -18000000000
>  lockOutObservationWindow: -18000000000
>  lockoutThreshold: 0
> @@ -73,10 +73,12 @@ uASCompat: 1
>  modifiedCount: 1
>  isCriticalSystemObject: TRUE
>  showInAdvancedViewOnly: FALSE
> +systemFlags: -1946157056
>  
>  dn: CN=Policies,CN=System,${DOMAINDN}
>  objectClass: top
>  objectClass: container
> +systemFlags: -1946157056
>  
>  dn: CN=IP Security,CN=System,${DOMAINDN}
>  objectClass: top
> diff --git a/source4/setup/provision_basedn_modify.ldif b/source4/setup/provision_basedn_modify.ldif
> index 7b13a19..69b2481 100644
> --- a/source4/setup/provision_basedn_modify.ldif
> +++ b/source4/setup/provision_basedn_modify.ldif
> @@ -5,7 +5,7 @@ dn: ${DOMAINDN}
>  changetype: modify
>  -
>  replace: forceLogoff
> -forceLogoff: 9223372036854775808
> +forceLogoff: -9223372036854775808
>  -
>  replace: lockoutDuration
>  lockoutDuration: -18000000000
> @@ -20,7 +20,7 @@ replace: maxPwdAge
>  maxPwdAge: -37108517437440
>  -
>  replace: minPwdAge
> -minPwdAge: 0
> +minPwdAge: -864000000

While perfectly correct, have you checke if this will create some
problems for our testsuite?  It might mean we are unable to check
passwords as quickly, if we can't change them right away.  Have a look
at RPC-SAMR (we may wish to have this patch in provision, but have some
other things change it for 'make test').

In any case, it should not be mixed in the sign-fixing int32
normalisation patch. 

>  -
>  replace: minPwdLength
>  minPwdLength: 7
> @@ -64,12 +64,14 @@ modifiedCount: 1
>  replace: fSMORoleOwner
>  fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
>  -
> +replace: systemFlags
> +systemFlags: -1946157056

Are these flags not inherited correctly when the object is created?

>  replace: isCriticalSystemObject
>  isCriticalSystemObject: TRUE
>  -
>  replace: subRefs
>  subRefs: ${CONFIGDN}
> -subRefs: ${SCHEMADN}

I'm unsure about this.  Can you give a background for this change?

>  replace: gPLink
>  gPLink: [LDAP://CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN};0]
> diff --git a/source4/setup/provision_computers_modify.ldif b/source4/setup/provision_computers_modify.ldif
> index 3bb4074..110c44c 100644
> --- a/source4/setup/provision_computers_modify.ldif
> +++ b/source4/setup/provision_computers_modify.ldif
> @@ -7,7 +7,7 @@ replace: showInAdvancedViewOnly
>  showInAdvancedViewOnly: FALSE
>  -
>  replace: systemFlags
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  -
>  replace: isCriticalSystemObject
>  isCriticalSystemObject: TRUE
> diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif
> index fff3805..e84ac85 100644
> --- a/source4/setup/provision_configuration.ldif
> +++ b/source4/setup/provision_configuration.ldif
> @@ -5,7 +5,7 @@ dn: CN=Partitions,${CONFIGDN}
>  objectClass: top
>  objectClass: crossRefContainer
>  cn: Partitions
> -systemFlags: 2147483648
> +systemFlags: -2147483648
>  msDS-Behavior-Version: 0
>  fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
>  
> @@ -38,25 +38,25 @@ dn: CN=Sites,${CONFIGDN}
>  objectClass: top
>  objectClass: sitesContainer
>  cn: Sites
> -systemFlags: 2181038080
> +systemFlags: -2113929216
>  
>  dn: CN=${DEFAULTSITE},CN=Sites,${CONFIGDN}
>  objectClass: top
>  objectClass: site
>  cn: ${DEFAULTSITE}
> -systemFlags: 2181038080
> +systemFlags: 1107296256
>  
>  dn: CN=Servers,CN=${DEFAULTSITE},CN=Sites,${CONFIGDN}
>  objectClass: top
>  objectClass: serversContainer
>  cn: Servers
> -systemFlags: 2181038080
> +systemFlags: 33554432
>  
>  dn: CN=Services,${CONFIGDN}
>  objectClass: top
>  objectClass: container
>  cn: Services
> -systemFlags: 2147483648
> +systemFlags: -2147483648
>  
>  dn: CN=Windows NT,CN=Services,${CONFIGDN}
>  objectClass: top
> diff --git a/source4/setup/provision_group_policy.ldif b/source4/setup/provision_group_policy.ldif
> index 98c09b9..d6a4659 100644
> --- a/source4/setup/provision_group_policy.ldif
> +++ b/source4/setup/provision_group_policy.ldif
> @@ -1,5 +1,6 @@
>  dn: CN=Default Domain Policy,CN=System,${DOMAINDN}
>  objectClass: top
> +objectClass: leaf
>  objectClass: domainPolicy
>  isCriticalSystemObject: TRUE
>  
> @@ -15,7 +16,7 @@ objectClass: groupPolicyContainer
>  displayName: Default Domain Policy
>  gPCFunctionalityVersion: 2
>  gPCFileSysPath: \\${DNSDOMAIN}\sysvol\${DNSDOMAIN}\Policies\{${POLICYGUID}}
> -versionNumber: 1
> +versionNumber: 65543
>  flags: 0
>  gPCMachineExtensionNames: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-248
>   8-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4
> @@ -25,11 +26,14 @@ gPCUserExtensionNames: [{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-1
>   1D2-842D-00C04FA372D4}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-
>   11D1-A7CC-0000F87571E3}]
>  nTSecurityDescriptor: O:${DOMAINSID}-512G:${DOMAINSID}-512D:PAI(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-512)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-519)(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-512)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;RPLCLORC;;;ED)S:AI(OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
> +systemFlags: -1946157056
>  
>  dn: CN=User,CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN}
>  objectClass: top
>  objectClass: container
> +systemFlags: -1946157056
>  
>  dn: CN=Machine,CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN}
>  objectClass: top
>  objectClass: container
> +systemFlags: -1946157056
> diff --git a/source4/setup/provision_schema_basedn_modify.ldif b/source4/setup/provision_schema_basedn_modify.ldif
> index d6c4589..6cd7e05 100644
> --- a/source4/setup/provision_schema_basedn_modify.ldif
> +++ b/source4/setup/provision_schema_basedn_modify.ldif
> @@ -7,7 +7,7 @@ replace: fSMORoleOwner
>  fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
>  -
>  replace: objectVersion
> -objectVersion: 30
> +objectVersion: 31
>  -
>  replace: prefixMap
>  prefixMap:: ${PREFIXMAP_B64}

This patch in particular is incorrect.  The objectVersion attribute
actually maps back to the base schema we have loaded.  Currently, we
have Windows 2008's schema, and that is objectVersion 30 (how we got
that much I have no idea).  But by accident or design, it is correctly
set.  We can only move to objectVersion: 31 once we get the 2008R2
schema. 

> diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif
> index 77a2e49..b7ca872 100644
> --- a/source4/setup/provision_self_join.ldif
> +++ b/source4/setup/provision_self_join.ldif
> @@ -1,6 +1,10 @@
>  #Join the DC to itself by default
>  
>  dn: CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
> +objectClass: top
> +objectClass: person
> +objectClass: organizationalPerson
> +objectClass: user
>  objectClass: computer
>  cn: ${NETBIOSNAME}
>  userAccountControl: 532480

Here I'm exploiting a trick in AD.  We don't have to specify the full
list of objectClass values, as long as we specify the last one, the rest
are filled in automatically. 

> diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif
> index c61cb80..88146d8 100644
> --- a/source4/setup/provision_users.ldif
> +++ b/source4/setup/provision_users.ldif
> @@ -208,7 +208,7 @@ member: CN=Administrator,CN=Users,${DOMAINDN}
>  objectSid: S-1-5-32-544
>  adminCount: 1
>  sAMAccountName: Administrators
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  groupType: -2147483643
>  isCriticalSystemObject: TRUE
>  privilege: SeSecurityPrivilege
> @@ -244,7 +244,7 @@ description: Users are prevented from making accidental or intentional system-wi
>  member: CN=Domain Users,CN=Users,${DOMAINDN}
>  objectSid: S-1-5-32-545
>  sAMAccountName: Users
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  groupType: -2147483643
>  isCriticalSystemObject: TRUE
>  
> @@ -257,7 +257,7 @@ member: CN=Domain Guests,CN=Users,${DOMAINDN}
>  member: CN=Guest,CN=Users,${DOMAINDN}
>  objectSid: S-1-5-32-546
>  sAMAccountName: Guests
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  groupType: -2147483643
>  isCriticalSystemObject: TRUE
>  
> @@ -269,7 +269,7 @@ description: Members can administer domain printers
>  objectSid: S-1-5-32-550
>  adminCount: 1
>  sAMAccountName: Print Operators
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  groupType: -2147483643
>  isCriticalSystemObject: TRUE
>  privilege: SeLoadDriverPrivilege
> @@ -284,7 +284,7 @@ description: Backup Operators can override security restrictions for the sole pu
>  objectSid: S-1-5-32-551
>  adminCount: 1
>  sAMAccountName: Backup Operators
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  groupType: -2147483643
>  isCriticalSystemObject: TRUE
>  privilege: SeBackupPrivilege
> @@ -300,7 +300,7 @@ description: Supports file replication in a domain
>  objectSid: S-1-5-32-552
>  adminCount: 1
>  sAMAccountName: Replicator
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  groupType: -2147483643
>  isCriticalSystemObject: TRUE
>  
> @@ -311,7 +311,7 @@ cn: Remote Desktop Users
>  description: Members in this group are granted the right to logon remotely
>  objectSid: S-1-5-32-555
>  sAMAccountName: Remote Desktop Users
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  groupType: -2147483643
>  isCriticalSystemObject: TRUE
>  
> @@ -322,7 +322,7 @@ cn: Network Configuration Operators
>  description: Members in this group can have some administrative privileges to manage configuration of networking features
>  objectSid: S-1-5-32-556
>  sAMAccountName: Network Configuration Operators
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  groupType: -2147483643
>  isCriticalSystemObject: TRUE
>  
> @@ -333,7 +333,7 @@ cn: Performance Monitor Users
>  description: Members of this group have remote access to monitor this computer
>  objectSid: S-1-5-32-558
>  sAMAccountName: Performance Monitor Users
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  groupType: -2147483643
>  isCriticalSystemObject: TRUE
>  
> @@ -344,7 +344,7 @@ cn: Performance Log Users
>  description: Members of this group have remote access to schedule logging of performance counters on this computer
>  objectSid: S-1-5-32-559
>  sAMAccountName: Performance Log Users
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  groupType: -2147483643
>  isCriticalSystemObject: TRUE
>  
> @@ -356,7 +356,7 @@ description: Members can administer domain servers
>  objectSid: S-1-5-32-549
>  adminCount: 1
>  sAMAccountName: Server Operators
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  groupType: -2147483643
>  isCriticalSystemObject: TRUE
>  privilege: SeBackupPrivilege
> @@ -374,7 +374,7 @@ description: Members can administer domain user and group accounts
>  objectSid: S-1-5-32-548
>  adminCount: 1
>  sAMAccountName: Account Operators
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  groupType: -2147483643
>  isCriticalSystemObject: TRUE
>  privilege: SeInteractiveLogonRight
> @@ -386,7 +386,7 @@ cn: Pre-Windows 2000 Compatible Access
>  description: A backward compatibility group which allows read access on all users and groups in the domain
>  objectSid: S-1-5-32-554
>  sAMAccountName: Pre-Windows 2000 Compatible Access
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  groupType: -2147483643
>  isCriticalSystemObject: TRUE
>  privilege: SeRemoteInteractiveLogonRight
> @@ -399,7 +399,7 @@ cn: Incoming Forest Trust Builders
>  description: Members of this group can create incoming, one-way trusts to this forest
>  objectSid: S-1-5-32-557
>  sAMAccountName: Incoming Forest Trust Builders
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  groupType: -2147483643
>  isCriticalSystemObject: TRUE
>  
> @@ -410,7 +410,7 @@ cn: Windows Authorization Access Group
>  description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
>  objectSid: S-1-5-32-560
>  sAMAccountName: Windows Authorization Access Group
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  groupType: -2147483643
>  isCriticalSystemObject: TRUE
>  
> @@ -421,7 +421,7 @@ cn: Terminal Server License Servers
>  description: Terminal Server License Servers
>  objectSid: S-1-5-32-561
>  sAMAccountName: Terminal Server License Servers
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  groupType: -2147483643
>  isCriticalSystemObject: TRUE
>  
> @@ -432,7 +432,7 @@ cn: Distributed COM Users
>  description: Members are allowed to launch, activate and use Distributed COM objects on this machine.
>  objectSid: S-1-5-32-562
>  sAMAccountName: Distributed COM Users
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  groupType: -2147483643
>  isCriticalSystemObject: TRUE
>  
> @@ -440,7 +440,7 @@ dn: CN=WellKnown Security Principals,${CONFIGDN}
>  objectClass: top
>  objectClass: container
>  cn: WellKnown Security Principals
> -systemFlags: 2147483648
> +systemFlags: -2147483648
>  
>  dn: CN=Anonymous Logon,CN=WellKnown Security Principals,${CONFIGDN}
>  objectClass: top
> diff --git a/source4/setup/provision_users_modify.ldif b/source4/setup/provision_users_modify.ldif
> index 06954c4..a7e8a43 100644
> --- a/source4/setup/provision_users_modify.ldif
> +++ b/source4/setup/provision_users_modify.ldif
> @@ -7,7 +7,7 @@ replace: showInAdvancedViewOnly
>  showInAdvancedViewOnly: FALSE
>  -
>  replace: systemFlags
> -systemFlags: 2348810240
> +systemFlags: -1946157056
>  -
>  replace: isCriticalSystemObject
>  isCriticalSystemObject: TRUE
-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090630/600749bf/attachment.bin

More information about the samba-technical mailing list