[SAMBA 4] Patches for "systemFlags"
Matthias Dieter Wallnöfer
mwallnoefer at yahoo.de
Tue Jun 30 02:43:48 MDT 2009
Hi Andrew!
My comments. Please consider also the patch of the display specifiers
(from Matthieu Patou)!
Andrew Bartlett schrieb:
> On Tue, 2009-06-30 at 10:01 +0200, Matthias Dieter Wallnöfer wrote:
>
>> Here the mentioned patches.
>>
>> Matthias
>>
>
> Thankyou very much. I do have a few comments, which is why I asked for
> you to post these here:
>
>
>> plain text document attachment (ldapV2.patch)
>> diff --git a/source4/setup/provision_rootdse_add.ldif b/source4/setup/provision_rootdse_add.ldif
>> index a5319f6..e4e4309 100644
>> --- a/source4/setup/provision_rootdse_add.ldif
>> +++ b/source4/setup/provision_rootdse_add.ldif
>> @@ -7,6 +7,7 @@ rootDomainNamingContext: ${ROOTDN}
>> configurationNamingContext: ${CONFIGDN}
>> schemaNamingContext: ${SCHEMADN}
>> supportedLDAPVersion: 3
>> +supportedLDAPVersion: 2
>> dnsHostName: ${DNSNAME}
>> ldapServiceName: ${DNSDOMAIN}:${NETBIOSNAME}$@${REALM}
>> serverName: ${SERVERDN}
>> plain text document attachment (ldif.patch)
>> diff --git a/source4/setup/display_specifiers.ldif b/source4/setup/display_specifiers.ldif
>> index 669a153..dc76077 100644
>> --- a/source4/setup/display_specifiers.ldif
>> +++ b/source4/setup/display_specifiers.ldif
>> @@ -1,6 +1,8 @@
>> dn: CN=DisplaySpecifiers,${CONFIGDN}
>> objectClass: top
>> objectClass: container
>> +objectVersion: 1
>>
>
> Were we just missing the objectVersion before? Or is it a new thing in
> later versions of Windows?
>
Found in Windows Server 2003 (R2).
>
>> +systemFlags: -2147483648
>>
>> dn: CN=409,CN=DisplaySpecifiers,${CONFIGDN}
>> objectClass: top
>> diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif
>> index 1afe72f..e5b20d0 100644
>> --- a/source4/setup/provision.ldif
>> +++ b/source4/setup/provision.ldif
>> @@ -3,7 +3,7 @@ objectClass: top
>> objectClass: organizationalUnit
>> cn: Domain Controllers
>> description: Default container for domain controllers
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> isCriticalSystemObject: TRUE
>> showInAdvancedViewOnly: FALSE
>>
>> @@ -12,7 +12,7 @@ objectClass: top
>> objectClass: container
>> cn: ForeignSecurityPrincipals
>> description: Default container for security identifiers (SIDs) associated with objects from external, trusted domains
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> isCriticalSystemObject: TRUE
>> showInAdvancedViewOnly: FALSE
>>
>> @@ -21,14 +21,14 @@ objectClass: top
>> objectClass: container
>> cn: System
>> description: Builtin system settings
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> isCriticalSystemObject: TRUE
>>
>> dn: CN=RID Manager$,CN=System,${DOMAINDN}
>> objectclass: top
>> objectclass: rIDManager
>> cn: RID Manager$
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> isCriticalSystemObject: TRUE
>> fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
>> rIDAvailablePool: 4611686014132423217
>> @@ -48,7 +48,7 @@ dn: CN=Infrastructure,${DOMAINDN}
>> objectclass: top
>> objectclass: infrastructureUpdate
>> cn: Infrastructure
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> isCriticalSystemObject: TRUE
>> fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
>>
>> @@ -56,7 +56,7 @@ dn: CN=Builtin,${DOMAINDN}
>> objectClass: top
>> objectClass: builtinDomain
>> cn: Builtin
>> -forceLogoff: 9223372036854775808
>> +forceLogoff: -9223372036854775808
>> lockoutDuration: -18000000000
>> lockOutObservationWindow: -18000000000
>> lockoutThreshold: 0
>> @@ -73,10 +73,12 @@ uASCompat: 1
>> modifiedCount: 1
>> isCriticalSystemObject: TRUE
>> showInAdvancedViewOnly: FALSE
>> +systemFlags: -1946157056
>>
>> dn: CN=Policies,CN=System,${DOMAINDN}
>> objectClass: top
>> objectClass: container
>> +systemFlags: -1946157056
>>
>> dn: CN=IP Security,CN=System,${DOMAINDN}
>> objectClass: top
>> diff --git a/source4/setup/provision_basedn_modify.ldif b/source4/setup/provision_basedn_modify.ldif
>> index 7b13a19..69b2481 100644
>> --- a/source4/setup/provision_basedn_modify.ldif
>> +++ b/source4/setup/provision_basedn_modify.ldif
>> @@ -5,7 +5,7 @@ dn: ${DOMAINDN}
>> changetype: modify
>> -
>> replace: forceLogoff
>> -forceLogoff: 9223372036854775808
>> +forceLogoff: -9223372036854775808
>> -
>> replace: lockoutDuration
>> lockoutDuration: -18000000000
>> @@ -20,7 +20,7 @@ replace: maxPwdAge
>> maxPwdAge: -37108517437440
>> -
>> replace: minPwdAge
>> -minPwdAge: 0
>> +minPwdAge: -864000000
>>
>
> While perfectly correct, have you checke if this will create some
> problems for our testsuite? It might mean we are unable to check
> passwords as quickly, if we can't change them right away. Have a look
> at RPC-SAMR (we may wish to have this patch in provision, but have some
> other things change it for 'make test').
>
> In any case, it should not be mixed in the sign-fixing int32
> normalisation patch.
>
Good, so "minPwdAge" is going to be reverted (I set it to the default
value of Windows Server 2003).
>
>> -
>> replace: minPwdLength
>> minPwdLength: 7
>> @@ -64,12 +64,14 @@ modifiedCount: 1
>> replace: fSMORoleOwner
>> fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
>> -
>> +replace: systemFlags
>> +systemFlags: -1946157056
>>
>
> Are these flags not inherited correctly when the object is created?
>
I didn't notice them, so I added them.
>
>> replace: isCriticalSystemObject
>> isCriticalSystemObject: TRUE
>> -
>> replace: subRefs
>> subRefs: ${CONFIGDN}
>> -subRefs: ${SCHEMADN}
>>
>
> I'm unsure about this. Can you give a background for this change?
>
Yeah, ${SCHEMADN} is a subpartition of ${CONFIGDN} which is itself a
subpartition of ${BASEDN}. A transitive relation. Found also in Windows
Server (2003 R2).
>
>> replace: gPLink
>> gPLink: [LDAP://CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN};0]
>> diff --git a/source4/setup/provision_computers_modify.ldif b/source4/setup/provision_computers_modify.ldif
>> index 3bb4074..110c44c 100644
>> --- a/source4/setup/provision_computers_modify.ldif
>> +++ b/source4/setup/provision_computers_modify.ldif
>> @@ -7,7 +7,7 @@ replace: showInAdvancedViewOnly
>> showInAdvancedViewOnly: FALSE
>> -
>> replace: systemFlags
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> -
>> replace: isCriticalSystemObject
>> isCriticalSystemObject: TRUE
>> diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif
>> index fff3805..e84ac85 100644
>> --- a/source4/setup/provision_configuration.ldif
>> +++ b/source4/setup/provision_configuration.ldif
>> @@ -5,7 +5,7 @@ dn: CN=Partitions,${CONFIGDN}
>> objectClass: top
>> objectClass: crossRefContainer
>> cn: Partitions
>> -systemFlags: 2147483648
>> +systemFlags: -2147483648
>> msDS-Behavior-Version: 0
>> fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
>>
>> @@ -38,25 +38,25 @@ dn: CN=Sites,${CONFIGDN}
>> objectClass: top
>> objectClass: sitesContainer
>> cn: Sites
>> -systemFlags: 2181038080
>> +systemFlags: -2113929216
>>
>> dn: CN=${DEFAULTSITE},CN=Sites,${CONFIGDN}
>> objectClass: top
>> objectClass: site
>> cn: ${DEFAULTSITE}
>> -systemFlags: 2181038080
>> +systemFlags: 1107296256
>>
>> dn: CN=Servers,CN=${DEFAULTSITE},CN=Sites,${CONFIGDN}
>> objectClass: top
>> objectClass: serversContainer
>> cn: Servers
>> -systemFlags: 2181038080
>> +systemFlags: 33554432
>>
>> dn: CN=Services,${CONFIGDN}
>> objectClass: top
>> objectClass: container
>> cn: Services
>> -systemFlags: 2147483648
>> +systemFlags: -2147483648
>>
>> dn: CN=Windows NT,CN=Services,${CONFIGDN}
>> objectClass: top
>> diff --git a/source4/setup/provision_group_policy.ldif b/source4/setup/provision_group_policy.ldif
>> index 98c09b9..d6a4659 100644
>> --- a/source4/setup/provision_group_policy.ldif
>> +++ b/source4/setup/provision_group_policy.ldif
>> @@ -1,5 +1,6 @@
>> dn: CN=Default Domain Policy,CN=System,${DOMAINDN}
>> objectClass: top
>> +objectClass: leaf
>> objectClass: domainPolicy
>> isCriticalSystemObject: TRUE
>>
>> @@ -15,7 +16,7 @@ objectClass: groupPolicyContainer
>> displayName: Default Domain Policy
>> gPCFunctionalityVersion: 2
>> gPCFileSysPath: \\${DNSDOMAIN}\sysvol\${DNSDOMAIN}\Policies\{${POLICYGUID}}
>> -versionNumber: 1
>> +versionNumber: 65543
>> flags: 0
>> gPCMachineExtensionNames: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-248
>> 8-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4
>> @@ -25,11 +26,14 @@ gPCUserExtensionNames: [{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-1
>> 1D2-842D-00C04FA372D4}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-
>> 11D1-A7CC-0000F87571E3}]
>> nTSecurityDescriptor: O:${DOMAINSID}-512G:${DOMAINSID}-512D:PAI(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-512)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-519)(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-512)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;RPLCLORC;;;ED)S:AI(OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
>> +systemFlags: -1946157056
>>
>> dn: CN=User,CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN}
>> objectClass: top
>> objectClass: container
>> +systemFlags: -1946157056
>>
>> dn: CN=Machine,CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN}
>> objectClass: top
>> objectClass: container
>> +systemFlags: -1946157056
>> diff --git a/source4/setup/provision_schema_basedn_modify.ldif b/source4/setup/provision_schema_basedn_modify.ldif
>> index d6c4589..6cd7e05 100644
>> --- a/source4/setup/provision_schema_basedn_modify.ldif
>> +++ b/source4/setup/provision_schema_basedn_modify.ldif
>> @@ -7,7 +7,7 @@ replace: fSMORoleOwner
>> fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
>> -
>> replace: objectVersion
>> -objectVersion: 30
>> +objectVersion: 31
>> -
>> replace: prefixMap
>> prefixMap:: ${PREFIXMAP_B64}
>>
>
> This patch in particular is incorrect. The objectVersion attribute
> actually maps back to the base schema we have loaded. Currently, we
> have Windows 2008's schema, and that is objectVersion 30 (how we got
> that much I have no idea). But by accident or design, it is correctly
> set. We can only move to objectVersion: 31 once we get the 2008R2
> schema.
>
Okay, I revert "objectVersion". I got this in my Windows Server.
>
>> diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif
>> index 77a2e49..b7ca872 100644
>> --- a/source4/setup/provision_self_join.ldif
>> +++ b/source4/setup/provision_self_join.ldif
>> @@ -1,6 +1,10 @@
>> #Join the DC to itself by default
>>
>> dn: CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
>> +objectClass: top
>> +objectClass: person
>> +objectClass: organizationalPerson
>> +objectClass: user
>> objectClass: computer
>> cn: ${NETBIOSNAME}
>> userAccountControl: 532480
>>
>
> Here I'm exploiting a trick in AD. We don't have to specify the full
> list of objectClass values, as long as we specify the last one, the rest
> are filled in automatically.
>
Good, but so it seems cleaner to me. Please leave it in!
>
>> diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif
>> index c61cb80..88146d8 100644
>> --- a/source4/setup/provision_users.ldif
>> +++ b/source4/setup/provision_users.ldif
>> @@ -208,7 +208,7 @@ member: CN=Administrator,CN=Users,${DOMAINDN}
>> objectSid: S-1-5-32-544
>> adminCount: 1
>> sAMAccountName: Administrators
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> groupType: -2147483643
>> isCriticalSystemObject: TRUE
>> privilege: SeSecurityPrivilege
>> @@ -244,7 +244,7 @@ description: Users are prevented from making accidental or intentional system-wi
>> member: CN=Domain Users,CN=Users,${DOMAINDN}
>> objectSid: S-1-5-32-545
>> sAMAccountName: Users
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> groupType: -2147483643
>> isCriticalSystemObject: TRUE
>>
>> @@ -257,7 +257,7 @@ member: CN=Domain Guests,CN=Users,${DOMAINDN}
>> member: CN=Guest,CN=Users,${DOMAINDN}
>> objectSid: S-1-5-32-546
>> sAMAccountName: Guests
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> groupType: -2147483643
>> isCriticalSystemObject: TRUE
>>
>> @@ -269,7 +269,7 @@ description: Members can administer domain printers
>> objectSid: S-1-5-32-550
>> adminCount: 1
>> sAMAccountName: Print Operators
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> groupType: -2147483643
>> isCriticalSystemObject: TRUE
>> privilege: SeLoadDriverPrivilege
>> @@ -284,7 +284,7 @@ description: Backup Operators can override security restrictions for the sole pu
>> objectSid: S-1-5-32-551
>> adminCount: 1
>> sAMAccountName: Backup Operators
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> groupType: -2147483643
>> isCriticalSystemObject: TRUE
>> privilege: SeBackupPrivilege
>> @@ -300,7 +300,7 @@ description: Supports file replication in a domain
>> objectSid: S-1-5-32-552
>> adminCount: 1
>> sAMAccountName: Replicator
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> groupType: -2147483643
>> isCriticalSystemObject: TRUE
>>
>> @@ -311,7 +311,7 @@ cn: Remote Desktop Users
>> description: Members in this group are granted the right to logon remotely
>> objectSid: S-1-5-32-555
>> sAMAccountName: Remote Desktop Users
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> groupType: -2147483643
>> isCriticalSystemObject: TRUE
>>
>> @@ -322,7 +322,7 @@ cn: Network Configuration Operators
>> description: Members in this group can have some administrative privileges to manage configuration of networking features
>> objectSid: S-1-5-32-556
>> sAMAccountName: Network Configuration Operators
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> groupType: -2147483643
>> isCriticalSystemObject: TRUE
>>
>> @@ -333,7 +333,7 @@ cn: Performance Monitor Users
>> description: Members of this group have remote access to monitor this computer
>> objectSid: S-1-5-32-558
>> sAMAccountName: Performance Monitor Users
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> groupType: -2147483643
>> isCriticalSystemObject: TRUE
>>
>> @@ -344,7 +344,7 @@ cn: Performance Log Users
>> description: Members of this group have remote access to schedule logging of performance counters on this computer
>> objectSid: S-1-5-32-559
>> sAMAccountName: Performance Log Users
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> groupType: -2147483643
>> isCriticalSystemObject: TRUE
>>
>> @@ -356,7 +356,7 @@ description: Members can administer domain servers
>> objectSid: S-1-5-32-549
>> adminCount: 1
>> sAMAccountName: Server Operators
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> groupType: -2147483643
>> isCriticalSystemObject: TRUE
>> privilege: SeBackupPrivilege
>> @@ -374,7 +374,7 @@ description: Members can administer domain user and group accounts
>> objectSid: S-1-5-32-548
>> adminCount: 1
>> sAMAccountName: Account Operators
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> groupType: -2147483643
>> isCriticalSystemObject: TRUE
>> privilege: SeInteractiveLogonRight
>> @@ -386,7 +386,7 @@ cn: Pre-Windows 2000 Compatible Access
>> description: A backward compatibility group which allows read access on all users and groups in the domain
>> objectSid: S-1-5-32-554
>> sAMAccountName: Pre-Windows 2000 Compatible Access
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> groupType: -2147483643
>> isCriticalSystemObject: TRUE
>> privilege: SeRemoteInteractiveLogonRight
>> @@ -399,7 +399,7 @@ cn: Incoming Forest Trust Builders
>> description: Members of this group can create incoming, one-way trusts to this forest
>> objectSid: S-1-5-32-557
>> sAMAccountName: Incoming Forest Trust Builders
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> groupType: -2147483643
>> isCriticalSystemObject: TRUE
>>
>> @@ -410,7 +410,7 @@ cn: Windows Authorization Access Group
>> description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
>> objectSid: S-1-5-32-560
>> sAMAccountName: Windows Authorization Access Group
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> groupType: -2147483643
>> isCriticalSystemObject: TRUE
>>
>> @@ -421,7 +421,7 @@ cn: Terminal Server License Servers
>> description: Terminal Server License Servers
>> objectSid: S-1-5-32-561
>> sAMAccountName: Terminal Server License Servers
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> groupType: -2147483643
>> isCriticalSystemObject: TRUE
>>
>> @@ -432,7 +432,7 @@ cn: Distributed COM Users
>> description: Members are allowed to launch, activate and use Distributed COM objects on this machine.
>> objectSid: S-1-5-32-562
>> sAMAccountName: Distributed COM Users
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> groupType: -2147483643
>> isCriticalSystemObject: TRUE
>>
>> @@ -440,7 +440,7 @@ dn: CN=WellKnown Security Principals,${CONFIGDN}
>> objectClass: top
>> objectClass: container
>> cn: WellKnown Security Principals
>> -systemFlags: 2147483648
>> +systemFlags: -2147483648
>>
>> dn: CN=Anonymous Logon,CN=WellKnown Security Principals,${CONFIGDN}
>> objectClass: top
>> diff --git a/source4/setup/provision_users_modify.ldif b/source4/setup/provision_users_modify.ldif
>> index 06954c4..a7e8a43 100644
>> --- a/source4/setup/provision_users_modify.ldif
>> +++ b/source4/setup/provision_users_modify.ldif
>> @@ -7,7 +7,7 @@ replace: showInAdvancedViewOnly
>> showInAdvancedViewOnly: FALSE
>> -
>> replace: systemFlags
>> -systemFlags: 2348810240
>> +systemFlags: -1946157056
>> -
>> replace: isCriticalSystemObject
>> isCriticalSystemObject: TRUE
>>
More information about the samba-technical
mailing list