s4:provision: don't use hardcoded values for 'nextRid' and 'rIDAvailablePool'

On Windows dcpromo imports nextRid from the local SAM,
which means it's not hardcoded to 1000.

The initlal rIDAvailablePool starts at nextRid + 100.

I also found that the RID Set of the local dc
should be created via provision and not at runtime,
when the first rid is needed.
(Tested with dcpromo on w2k8r2, while disabling the DNS
 check box).

After provision we should have this (assuming nextRid=1000):

rIDAllocationPool: 1100-1599
rIDPrevAllocationPool: 1100-1599
rIDUsedPool: 0
rIDNextRID: 1100

rIDAvailablePool: 1600-1073741823

Because provision sets rIDNextRid=1100, the first created account
(typically DNS related accounts) will get 1101 as rid!

metze

diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index f48795d3631724589f349f6a3035dce8bce0a618..808a39db1f6896628839d02d2d38952c98bcd85e 100644 (file)
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -868,7 +868,7 @@ def setup_samdb_rootdse(samdb, setup_path, names):
 
 def setup_self_join(samdb, names,
                     machinepass, dnspass, 
-                    domainsid, invocationid, setup_path,
+                    domainsid, next_rid, invocationid, setup_path,
                     policyguid, policyguid_dc, domainControllerFunctionality,
                     ntdsguid):
     """Join a host to its own domain."""
@@ -890,6 +890,7 @@ def setup_self_join(samdb, names,
               "REALM": names.realm,
               "DOMAIN": names.domain,
               "DOMAINSID": str(domainsid),
+              "DCRID": str(next_rid),
               "DNSDOMAIN": names.dnsdomain,
               "SAMBA_VERSION_STRING": version,
               "NTDSGUID": ntdsguid_line,
@@ -920,6 +921,8 @@ def setup_self_join(samdb, names,
               "NETBIOSNAME": names.netbiosname,
               "NTDSGUID": names.ntdsguid,
               "DNSPASS_B64": b64encode(dnspass),
+              "RIDALLOCATIONSTART": str(next_rid + 100),
+              "RIDALLOCATIONEND": str(next_rid + 100 + 499),
               })
 
 def getpolicypath(sysvolpath, dnsdomain, guid):
@@ -947,7 +950,8 @@ def setup_gpo(sysvolpath, dnsdomain, policyguid, policyguid_dc):
 def setup_samdb(path, setup_path, session_info, provision_backend, lp, names,
         logger, domainsid, domainguid, policyguid, policyguid_dc, fill,
         adminpass, krbtgtpass, machinepass, invocationid, dnspass, ntdsguid,
-        serverrole, am_rodc=False, dom_for_fun_level=None, schema=None):
+        serverrole, am_rodc=False, dom_for_fun_level=None, schema=None,
+        next_rid=1000):
     """Setup a complete SAM Database.
     
     :note: This will wipe the main SAM database file!
@@ -1027,6 +1031,7 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, names,
         setup_modify_ldif(samdb, setup_path("provision_basedn_modify.ldif"), {
             "CREATTIME": str(int(time.time() * 1e7)), # seconds -> ticks
             "DOMAINSID": str(domainsid),
+            "NEXTRID": str(next_rid),
             "SCHEMADN": names.schemadn, 
             "NETBIOSNAME": names.netbiosname,
             "DEFAULTSITE": names.sitename,
@@ -1109,6 +1114,7 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, names,
             "DEFAULTSITE": names.sitename,
             "CONFIGDN": names.configdn,
             "SERVERDN": names.serverdn,
+            "RIDAVAILABLESTART": str(next_rid + 600),
             "POLICYGUID_DC": policyguid_dc
             })
 
@@ -1132,7 +1138,9 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, names,
             setup_self_join(samdb, names=names, invocationid=invocationid,
                             dnspass=dnspass,
                             machinepass=machinepass,
-                            domainsid=domainsid, policyguid=policyguid,
+                            domainsid=domainsid,
+                            next_rid=next_rid,
+                            policyguid=policyguid,
                             policyguid_dc=policyguid_dc,
                             setup_path=setup_path,
                             domainControllerFunctionality=domainControllerFunctionality,

diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif
index 7ba3183c94f269fb4aac9f53e2c7c88afcdc740c..2159aeff982c1785663ce277e7a2b8a92cdf5616 100644 (file)
--- a/source4/setup/provision.ldif
+++ b/source4/setup/provision.ldif
@@ -809,7 +809,7 @@ dn: CN=RID Manager$,CN=System,${DOMAINDN}
 objectClass: top
 objectClass: rIDManager
 systemFlags: -1946157056
-rIDAvailablePool: 1001-1073741823
+rIDAvailablePool: ${RIDAVAILABLESTART}-1073741823
 isCriticalSystemObject: TRUE
 
 dn: CN=RpcServices,CN=System,${DOMAINDN}

diff --git a/source4/setup/provision_basedn_modify.ldif b/source4/setup/provision_basedn_modify.ldif
index 1d5345c60ecba44c1b23572f4a1e14550af2b8ea..b4f301677031700a2d6e8cb8de281afaf97523dc 100644 (file)
--- a/source4/setup/provision_basedn_modify.ldif
+++ b/source4/setup/provision_basedn_modify.ldif
@@ -68,7 +68,7 @@ replace: msDS-PerUserTrustTombstonesQuota
 msDS-PerUserTrustTombstonesQuota: 10
 -
 replace: nextRid
-nextRid: 1000
+nextRid: ${NEXTRID}
 -
 replace: nTMixedDomain
 nTMixedDomain: 0

diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif
index d4d06f6e6312bbb7f581c015034f0cb25267b82d..2530a0e7889918a9613d2d5fb376c9557045faca 100644 (file)
--- a/source4/setup/provision_self_join.ldif
+++ b/source4/setup/provision_self_join.ldif
@@ -32,7 +32,7 @@ servicePrincipalName: ldap/${DNSNAME}
 servicePrincipalName: ldap/${DNSNAME}/${REALM}
 userAccountControl: 532480
 userPassword:: ${MACHINEPASS_B64}
-objectSID: ${DOMAINSID}-1000
+objectSID: ${DOMAINSID}-${DCRID}
 
 # Here are missing the objects for the NTFRS subscription since we don't
 # support this technique yet.

diff --git a/source4/setup/provision_self_join_modify.ldif b/source4/setup/provision_self_join_modify.ldif
index f81a2b69c7da0e33b81f2f71d502a0e3cff56ad2..c2bba888b7edad81b5ea24e2e0d3288d5ea99173 100644 (file)
--- a/source4/setup/provision_self_join_modify.ldif
+++ b/source4/setup/provision_self_join_modify.ldif
@@ -28,11 +28,21 @@ changetype: modify
 replace: interSiteTopologyGenerator
 interSiteTopologyGenerator: CN=NTDS Settings,${SERVERDN}
 
+dn: CN=RID Set,CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
+changetype: add
+objectClass: rIDSet
+rIDAllocationPool: ${RIDALLOCATIONSTART}-${RIDALLOCATIONEND}
+rIDPreviousAllocationPool: ${RIDALLOCATIONSTART}-${RIDALLOCATIONEND}
+rIDUsedPool: 0
+rIDNextRID: ${RIDALLOCATIONSTART}
+
 dn: CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
 changetype: modify
 add: servicePrincipalName
 servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/${NTDSGUID}/${DNSDOMAIN}
 servicePrincipalName: ldap/${NTDSGUID}._msdcs.${DNSDOMAIN}
+add: rIDSetReferences
+rIDSetReferences: CN=RID Set,CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
 
 # NOTE: This account is SAMBA4 specific!
 dn: CN=dns,CN=Users,${DOMAINDN}