[SAMBA 4] Patches for "systemFlags"
Matthias Dieter Wallnöfer
mwallnoefer at yahoo.de
Tue Jun 30 07:18:18 MDT 2009
Hi Andrew!
Andrew Bartlett schrieb:
> On Tue, 2009-06-30 at 10:43 +0200, Matthias Dieter Wallnöfer wrote:
>
>> Hi Andrew!
>>
>> My comments. Please consider also the patch of the display specifiers
>> (from Matthieu Patou)!
>>
>
> I saw his patch in your repo, but I need to think a bit more before
> doing the import. We need the right way to keep this maintained, for
> one.
>
Good, it's your choice! But I'd be happy to see this in soon.
To the other comments: I tried to handle all cases, reverted the wrong
object version number, splitted up the commits.
Regarding the "systemFlags" attribute: I set it only there were it was
necessary (cases were this isn't handled in the "objectclass" LDB
module). To match the Windows behaviour better I would change the
"objectclass" LDB module to produce always the "systemFlags" attribute
negative. I'll prepare a patch on this in my repo.
Matthias
>
>> Andrew Bartlett schrieb:
>>
>>> On Tue, 2009-06-30 at 10:01 +0200, Matthias Dieter Wallnöfer wrote:
>>>
>>>
>>>> Here the mentioned patches.
>>>>
>>>> Matthias
>>>>
>>>>
>>> Thankyou very much. I do have a few comments, which is why I asked for
>>> you to post these here:
>>>
>>>
>>>
>>>> plain text document attachment (ldapV2.patch)
>>>> diff --git a/source4/setup/provision_rootdse_add.ldif b/source4/setup/provision_rootdse_add.ldif
>>>> index a5319f6..e4e4309 100644
>>>> --- a/source4/setup/provision_rootdse_add.ldif
>>>> +++ b/source4/setup/provision_rootdse_add.ldif
>>>> @@ -7,6 +7,7 @@ rootDomainNamingContext: ${ROOTDN}
>>>> configurationNamingContext: ${CONFIGDN}
>>>> schemaNamingContext: ${SCHEMADN}
>>>> supportedLDAPVersion: 3
>>>> +supportedLDAPVersion: 2
>>>> dnsHostName: ${DNSNAME}
>>>> ldapServiceName: ${DNSDOMAIN}:${NETBIOSNAME}$@${REALM}
>>>> serverName: ${SERVERDN}
>>>> plain text document attachment (ldif.patch)
>>>> diff --git a/source4/setup/display_specifiers.ldif b/source4/setup/display_specifiers.ldif
>>>> index 669a153..dc76077 100644
>>>> --- a/source4/setup/display_specifiers.ldif
>>>> +++ b/source4/setup/display_specifiers.ldif
>>>> @@ -1,6 +1,8 @@
>>>> dn: CN=DisplaySpecifiers,${CONFIGDN}
>>>> objectClass: top
>>>> objectClass: container
>>>> +objectVersion: 1
>>>>
>>>>
>>> Were we just missing the objectVersion before? Or is it a new thing in
>>> later versions of Windows?
>>>
>>>
>> Found in Windows Server 2003 (R2).
>>
>
> Can you place this as a seperate patch, with a good, detailed, commit
> message in your repo?
>
>
>>>
>>>
>>>> +systemFlags: -2147483648
>>>>
>
> Is this different to the systemFlags that the object would get because
> of the objectclass module (ie, from the provision)? How is it
> different?
>
>
>>>> dn: CN=409,CN=DisplaySpecifiers,${CONFIGDN}
>>>> objectClass: top
>>>> diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif
>>>> index 1afe72f..e5b20d0 100644
>>>> --- a/source4/setup/provision.ldif
>>>> +++ b/source4/setup/provision.ldif
>>>> @@ -3,7 +3,7 @@ objectClass: top
>>>> objectClass: organizationalUnit
>>>> cn: Domain Controllers
>>>> description: Default container for domain controllers
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> isCriticalSystemObject: TRUE
>>>> showInAdvancedViewOnly: FALSE
>>>>
>>>> @@ -12,7 +12,7 @@ objectClass: top
>>>> objectClass: container
>>>> cn: ForeignSecurityPrincipals
>>>> description: Default container for security identifiers (SIDs) associated with objects from external, trusted domains
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> isCriticalSystemObject: TRUE
>>>> showInAdvancedViewOnly: FALSE
>>>>
>>>> @@ -21,14 +21,14 @@ objectClass: top
>>>> objectClass: container
>>>> cn: System
>>>> description: Builtin system settings
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> isCriticalSystemObject: TRUE
>>>>
>>>> dn: CN=RID Manager$,CN=System,${DOMAINDN}
>>>> objectclass: top
>>>> objectclass: rIDManager
>>>> cn: RID Manager$
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> isCriticalSystemObject: TRUE
>>>> fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
>>>> rIDAvailablePool: 4611686014132423217
>>>> @@ -48,7 +48,7 @@ dn: CN=Infrastructure,${DOMAINDN}
>>>> objectclass: top
>>>> objectclass: infrastructureUpdate
>>>> cn: Infrastructure
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> isCriticalSystemObject: TRUE
>>>> fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
>>>>
>>>> @@ -56,7 +56,7 @@ dn: CN=Builtin,${DOMAINDN}
>>>> objectClass: top
>>>> objectClass: builtinDomain
>>>> cn: Builtin
>>>> -forceLogoff: 9223372036854775808
>>>> +forceLogoff: -9223372036854775808
>>>> lockoutDuration: -18000000000
>>>> lockOutObservationWindow: -18000000000
>>>> lockoutThreshold: 0
>>>> @@ -73,10 +73,12 @@ uASCompat: 1
>>>> modifiedCount: 1
>>>> isCriticalSystemObject: TRUE
>>>> showInAdvancedViewOnly: FALSE
>>>> +systemFlags: -1946157056
>>>>
>>>> dn: CN=Policies,CN=System,${DOMAINDN}
>>>> objectClass: top
>>>> objectClass: container
>>>> +systemFlags: -1946157056
>>>>
>>>> dn: CN=IP Security,CN=System,${DOMAINDN}
>>>> objectClass: top
>>>> diff --git a/source4/setup/provision_basedn_modify.ldif b/source4/setup/provision_basedn_modify.ldif
>>>> index 7b13a19..69b2481 100644
>>>> --- a/source4/setup/provision_basedn_modify.ldif
>>>> +++ b/source4/setup/provision_basedn_modify.ldif
>>>> @@ -5,7 +5,7 @@ dn: ${DOMAINDN}
>>>> changetype: modify
>>>> -
>>>> replace: forceLogoff
>>>> -forceLogoff: 9223372036854775808
>>>> +forceLogoff: -9223372036854775808
>>>> -
>>>> replace: lockoutDuration
>>>> lockoutDuration: -18000000000
>>>> @@ -20,7 +20,7 @@ replace: maxPwdAge
>>>> maxPwdAge: -37108517437440
>>>> -
>>>> replace: minPwdAge
>>>> -minPwdAge: 0
>>>> +minPwdAge: -864000000
>>>>
>>>>
>>> While perfectly correct, have you checke if this will create some
>>> problems for our testsuite? It might mean we are unable to check
>>> passwords as quickly, if we can't change them right away. Have a look
>>> at RPC-SAMR (we may wish to have this patch in provision, but have some
>>> other things change it for 'make test').
>>>
>>> In any case, it should not be mixed in the sign-fixing int32
>>> normalisation patch.
>>>
>>>
>> Good, so "minPwdAge" is going to be reverted (I set it to the default
>> value of Windows Server 2003).
>>
>
> I'm happy for this to be in a seperate patch. I'll cherry-pick it when
> I'm confident we have the right workarounds in the testsuite.
>
>
>>>> -
>>>> replace: minPwdLength
>>>> minPwdLength: 7
>>>> @@ -64,12 +64,14 @@ modifiedCount: 1
>>>> replace: fSMORoleOwner
>>>> fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
>>>> -
>>>> +replace: systemFlags
>>>> +systemFlags: -1946157056
>>>>
>>>>
>>> Are these flags not inherited correctly when the object is created?
>>>
>>>
>> I didn't notice them, so I added them.
>>
>>>
>>>
>>>> replace: isCriticalSystemObject
>>>> isCriticalSystemObject: TRUE
>>>> -
>>>> replace: subRefs
>>>> subRefs: ${CONFIGDN}
>>>> -subRefs: ${SCHEMADN}
>>>>
>>>>
>>> I'm unsure about this. Can you give a background for this change?
>>>
>>>
>> Yeah, ${SCHEMADN} is a subpartition of ${CONFIGDN} which is itself a
>> subpartition of ${BASEDN}. A transitive relation. Found also in Windows
>> Server (2003 R2).
>>
>
> OK. Place in a separate patch, with this description.
>
>
>>>> replace: gPLink
>>>> gPLink: [LDAP://CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN};0]
>>>> diff --git a/source4/setup/provision_computers_modify.ldif b/source4/setup/provision_computers_modify.ldif
>>>> index 3bb4074..110c44c 100644
>>>> --- a/source4/setup/provision_computers_modify.ldif
>>>> +++ b/source4/setup/provision_computers_modify.ldif
>>>> @@ -7,7 +7,7 @@ replace: showInAdvancedViewOnly
>>>> showInAdvancedViewOnly: FALSE
>>>> -
>>>> replace: systemFlags
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> -
>>>> replace: isCriticalSystemObject
>>>> isCriticalSystemObject: TRUE
>>>> diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif
>>>> index fff3805..e84ac85 100644
>>>> --- a/source4/setup/provision_configuration.ldif
>>>> +++ b/source4/setup/provision_configuration.ldif
>>>> @@ -5,7 +5,7 @@ dn: CN=Partitions,${CONFIGDN}
>>>> objectClass: top
>>>> objectClass: crossRefContainer
>>>> cn: Partitions
>>>> -systemFlags: 2147483648
>>>> +systemFlags: -2147483648
>>>> msDS-Behavior-Version: 0
>>>> fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
>>>>
>>>> @@ -38,25 +38,25 @@ dn: CN=Sites,${CONFIGDN}
>>>> objectClass: top
>>>> objectClass: sitesContainer
>>>> cn: Sites
>>>> -systemFlags: 2181038080
>>>> +systemFlags: -2113929216
>>>>
>>>> dn: CN=${DEFAULTSITE},CN=Sites,${CONFIGDN}
>>>> objectClass: top
>>>> objectClass: site
>>>> cn: ${DEFAULTSITE}
>>>> -systemFlags: 2181038080
>>>> +systemFlags: 1107296256
>>>>
>>>> dn: CN=Servers,CN=${DEFAULTSITE},CN=Sites,${CONFIGDN}
>>>> objectClass: top
>>>> objectClass: serversContainer
>>>> cn: Servers
>>>> -systemFlags: 2181038080
>>>> +systemFlags: 33554432
>>>>
>>>> dn: CN=Services,${CONFIGDN}
>>>> objectClass: top
>>>> objectClass: container
>>>> cn: Services
>>>> -systemFlags: 2147483648
>>>> +systemFlags: -2147483648
>>>>
>>>> dn: CN=Windows NT,CN=Services,${CONFIGDN}
>>>> objectClass: top
>>>> diff --git a/source4/setup/provision_group_policy.ldif b/source4/setup/provision_group_policy.ldif
>>>> index 98c09b9..d6a4659 100644
>>>> --- a/source4/setup/provision_group_policy.ldif
>>>> +++ b/source4/setup/provision_group_policy.ldif
>>>> @@ -1,5 +1,6 @@
>>>> dn: CN=Default Domain Policy,CN=System,${DOMAINDN}
>>>> objectClass: top
>>>> +objectClass: leaf
>>>> objectClass: domainPolicy
>>>> isCriticalSystemObject: TRUE
>>>>
>>>> @@ -15,7 +16,7 @@ objectClass: groupPolicyContainer
>>>> displayName: Default Domain Policy
>>>> gPCFunctionalityVersion: 2
>>>> gPCFileSysPath: \\${DNSDOMAIN}\sysvol\${DNSDOMAIN}\Policies\{${POLICYGUID}}
>>>> -versionNumber: 1
>>>> +versionNumber: 65543
>>>> flags: 0
>>>> gPCMachineExtensionNames: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-248
>>>> 8-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4
>>>> @@ -25,11 +26,14 @@ gPCUserExtensionNames: [{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-1
>>>> 1D2-842D-00C04FA372D4}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-
>>>> 11D1-A7CC-0000F87571E3}]
>>>> nTSecurityDescriptor: O:${DOMAINSID}-512G:${DOMAINSID}-512D:PAI(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-512)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-519)(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-512)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;RPLCLORC;;;ED)S:AI(OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
>>>> +systemFlags: -1946157056
>>>>
>>>> dn: CN=User,CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN}
>>>> objectClass: top
>>>> objectClass: container
>>>> +systemFlags: -1946157056
>>>>
>>>> dn: CN=Machine,CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN}
>>>> objectClass: top
>>>> objectClass: container
>>>> +systemFlags: -1946157056
>>>> diff --git a/source4/setup/provision_schema_basedn_modify.ldif b/source4/setup/provision_schema_basedn_modify.ldif
>>>> index d6c4589..6cd7e05 100644
>>>> --- a/source4/setup/provision_schema_basedn_modify.ldif
>>>> +++ b/source4/setup/provision_schema_basedn_modify.ldif
>>>> @@ -7,7 +7,7 @@ replace: fSMORoleOwner
>>>> fSMORoleOwner: CN=NTDS Settings,${SERVERDN}
>>>> -
>>>> replace: objectVersion
>>>> -objectVersion: 30
>>>> +objectVersion: 31
>>>> -
>>>> replace: prefixMap
>>>> prefixMap:: ${PREFIXMAP_B64}
>>>>
>>>>
>>> This patch in particular is incorrect. The objectVersion attribute
>>> actually maps back to the base schema we have loaded. Currently, we
>>> have Windows 2008's schema, and that is objectVersion 30 (how we got
>>> that much I have no idea). But by accident or design, it is correctly
>>> set. We can only move to objectVersion: 31 once we get the 2008R2
>>> schema.
>>>
>>>
>> Okay, I revert "objectVersion". I got this in my Windows Server.
>>
>
> Thanks. We do need to be careful about this kind of thing.
>
>
>>>> diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif
>>>> index 77a2e49..b7ca872 100644
>>>> --- a/source4/setup/provision_self_join.ldif
>>>> +++ b/source4/setup/provision_self_join.ldif
>>>> @@ -1,6 +1,10 @@
>>>> #Join the DC to itself by default
>>>>
>>>> dn: CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
>>>> +objectClass: top
>>>> +objectClass: person
>>>> +objectClass: organizationalPerson
>>>> +objectClass: user
>>>> objectClass: computer
>>>> cn: ${NETBIOSNAME}
>>>> userAccountControl: 532480
>>>>
>>>>
>>> Here I'm exploiting a trick in AD. We don't have to specify the full
>>> list of objectClass values, as long as we specify the last one, the rest
>>> are filled in automatically.
>>>
>>>
>> Good, but so it seems cleaner to me. Please leave it in!
>>
>
> Sure. Again, a separate patch, with commit message.
>
>
>>>> diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif
>>>> index c61cb80..88146d8 100644
>>>> --- a/source4/setup/provision_users.ldif
>>>> +++ b/source4/setup/provision_users.ldif
>>>> @@ -208,7 +208,7 @@ member: CN=Administrator,CN=Users,${DOMAINDN}
>>>> objectSid: S-1-5-32-544
>>>> adminCount: 1
>>>> sAMAccountName: Administrators
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> groupType: -2147483643
>>>> isCriticalSystemObject: TRUE
>>>> privilege: SeSecurityPrivilege
>>>> @@ -244,7 +244,7 @@ description: Users are prevented from making accidental or intentional system-wi
>>>> member: CN=Domain Users,CN=Users,${DOMAINDN}
>>>> objectSid: S-1-5-32-545
>>>> sAMAccountName: Users
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> groupType: -2147483643
>>>> isCriticalSystemObject: TRUE
>>>>
>>>> @@ -257,7 +257,7 @@ member: CN=Domain Guests,CN=Users,${DOMAINDN}
>>>> member: CN=Guest,CN=Users,${DOMAINDN}
>>>> objectSid: S-1-5-32-546
>>>> sAMAccountName: Guests
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> groupType: -2147483643
>>>> isCriticalSystemObject: TRUE
>>>>
>>>> @@ -269,7 +269,7 @@ description: Members can administer domain printers
>>>> objectSid: S-1-5-32-550
>>>> adminCount: 1
>>>> sAMAccountName: Print Operators
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> groupType: -2147483643
>>>> isCriticalSystemObject: TRUE
>>>> privilege: SeLoadDriverPrivilege
>>>> @@ -284,7 +284,7 @@ description: Backup Operators can override security restrictions for the sole pu
>>>> objectSid: S-1-5-32-551
>>>> adminCount: 1
>>>> sAMAccountName: Backup Operators
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> groupType: -2147483643
>>>> isCriticalSystemObject: TRUE
>>>> privilege: SeBackupPrivilege
>>>> @@ -300,7 +300,7 @@ description: Supports file replication in a domain
>>>> objectSid: S-1-5-32-552
>>>> adminCount: 1
>>>> sAMAccountName: Replicator
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> groupType: -2147483643
>>>> isCriticalSystemObject: TRUE
>>>>
>>>> @@ -311,7 +311,7 @@ cn: Remote Desktop Users
>>>> description: Members in this group are granted the right to logon remotely
>>>> objectSid: S-1-5-32-555
>>>> sAMAccountName: Remote Desktop Users
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> groupType: -2147483643
>>>> isCriticalSystemObject: TRUE
>>>>
>>>> @@ -322,7 +322,7 @@ cn: Network Configuration Operators
>>>> description: Members in this group can have some administrative privileges to manage configuration of networking features
>>>> objectSid: S-1-5-32-556
>>>> sAMAccountName: Network Configuration Operators
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> groupType: -2147483643
>>>> isCriticalSystemObject: TRUE
>>>>
>>>> @@ -333,7 +333,7 @@ cn: Performance Monitor Users
>>>> description: Members of this group have remote access to monitor this computer
>>>> objectSid: S-1-5-32-558
>>>> sAMAccountName: Performance Monitor Users
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> groupType: -2147483643
>>>> isCriticalSystemObject: TRUE
>>>>
>>>> @@ -344,7 +344,7 @@ cn: Performance Log Users
>>>> description: Members of this group have remote access to schedule logging of performance counters on this computer
>>>> objectSid: S-1-5-32-559
>>>> sAMAccountName: Performance Log Users
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> groupType: -2147483643
>>>> isCriticalSystemObject: TRUE
>>>>
>>>> @@ -356,7 +356,7 @@ description: Members can administer domain servers
>>>> objectSid: S-1-5-32-549
>>>> adminCount: 1
>>>> sAMAccountName: Server Operators
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> groupType: -2147483643
>>>> isCriticalSystemObject: TRUE
>>>> privilege: SeBackupPrivilege
>>>> @@ -374,7 +374,7 @@ description: Members can administer domain user and group accounts
>>>> objectSid: S-1-5-32-548
>>>> adminCount: 1
>>>> sAMAccountName: Account Operators
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> groupType: -2147483643
>>>> isCriticalSystemObject: TRUE
>>>> privilege: SeInteractiveLogonRight
>>>> @@ -386,7 +386,7 @@ cn: Pre-Windows 2000 Compatible Access
>>>> description: A backward compatibility group which allows read access on all users and groups in the domain
>>>> objectSid: S-1-5-32-554
>>>> sAMAccountName: Pre-Windows 2000 Compatible Access
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> groupType: -2147483643
>>>> isCriticalSystemObject: TRUE
>>>> privilege: SeRemoteInteractiveLogonRight
>>>> @@ -399,7 +399,7 @@ cn: Incoming Forest Trust Builders
>>>> description: Members of this group can create incoming, one-way trusts to this forest
>>>> objectSid: S-1-5-32-557
>>>> sAMAccountName: Incoming Forest Trust Builders
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> groupType: -2147483643
>>>> isCriticalSystemObject: TRUE
>>>>
>>>> @@ -410,7 +410,7 @@ cn: Windows Authorization Access Group
>>>> description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
>>>> objectSid: S-1-5-32-560
>>>> sAMAccountName: Windows Authorization Access Group
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> groupType: -2147483643
>>>> isCriticalSystemObject: TRUE
>>>>
>>>> @@ -421,7 +421,7 @@ cn: Terminal Server License Servers
>>>> description: Terminal Server License Servers
>>>> objectSid: S-1-5-32-561
>>>> sAMAccountName: Terminal Server License Servers
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> groupType: -2147483643
>>>> isCriticalSystemObject: TRUE
>>>>
>>>> @@ -432,7 +432,7 @@ cn: Distributed COM Users
>>>> description: Members are allowed to launch, activate and use Distributed COM objects on this machine.
>>>> objectSid: S-1-5-32-562
>>>> sAMAccountName: Distributed COM Users
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> groupType: -2147483643
>>>> isCriticalSystemObject: TRUE
>>>>
>>>> @@ -440,7 +440,7 @@ dn: CN=WellKnown Security Principals,${CONFIGDN}
>>>> objectClass: top
>>>> objectClass: container
>>>> cn: WellKnown Security Principals
>>>> -systemFlags: 2147483648
>>>> +systemFlags: -2147483648
>>>>
>>>> dn: CN=Anonymous Logon,CN=WellKnown Security Principals,${CONFIGDN}
>>>> objectClass: top
>>>> diff --git a/source4/setup/provision_users_modify.ldif b/source4/setup/provision_users_modify.ldif
>>>> index 06954c4..a7e8a43 100644
>>>> --- a/source4/setup/provision_users_modify.ldif
>>>> +++ b/source4/setup/provision_users_modify.ldif
>>>> @@ -7,7 +7,7 @@ replace: showInAdvancedViewOnly
>>>> showInAdvancedViewOnly: FALSE
>>>> -
>>>> replace: systemFlags
>>>> -systemFlags: 2348810240
>>>> +systemFlags: -1946157056
>>>> -
>>>> replace: isCriticalSystemObject
>>>> isCriticalSystemObject: TRUE
>>>>
>>>>
>
> I'm happy with the systemFlags stuff, where it just changes the sign for
> the same bit value (easy way to check is to use 'i 2348810240' and 'i
> -1946157056'.
>
> However, could you please verify that we have to set these, and that the
> default systemFlags is incorrect for some reason.
>
> Thanks,
>
> Andrew Bartlett
>
>
More information about the samba-technical
mailing list