s4:provision: set the correct nTSecurityDescriptor on CN=Builtin,... (bug #9481)

author Stefan Metzmacher <metze@samba.org>

Mon, 10 Dec 2012 10:32:07 +0000 (11:32 +0100)

committer Michael Adam <obnox@samba.org>

Tue, 11 Dec 2012 04:04:44 +0000 (05:04 +0100)
author Stefan Metzmacher <metze@samba.org>
Mon, 10 Dec 2012 10:32:07 +0000 (11:32 +0100)
committer Michael Adam <obnox@samba.org>
Tue, 11 Dec 2012 04:04:44 +0000 (05:04 +0100)
diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py

index 74288c1347d52eb8dd9afc338bfe5db755291a97..a081cea495105640caca49b40bdd76a103605067 100644 (file)
--- a/source4/scripting/python/samba/provision/__init__.py
+++ b/source4/scripting/python/samba/provision/__init__.py
@@ -83,6 +83,7 @@ from samba.provision.descriptor import (
      get_config_sites_descriptor,
      get_domain_descriptor,
      get_domain_infrastructure_descriptor,
+    get_domain_builtin_descriptor,
      )
  from samba.provision.common import (
      setup_path,
@@ -1298,6 +1299,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
                  "DOMAINDN": names.domaindn})
          logger.info("Setting up sam.ldb data")
          infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(domainsid))
+        builtin_desc = b64encode(get_domain_builtin_descriptor(domainsid))
          setup_add_ldif(samdb, setup_path("provision.ldif"), {
              "CREATTIME": str(samba.unix2nttime(int(time.time()))),
              "DOMAINDN": names.domaindn,
@@ -1308,6 +1310,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
              "RIDAVAILABLESTART": str(next_rid + 600),
              "POLICYGUID_DC": policyguid_dc,
              "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc,
+            "BUILTIN_DESCRIPTOR": builtin_desc,
              })
  
          # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py

index db38e19a3e710e922fd6dee96c74d0a56c460064..d37e2cdeaf8803e77786342a35c33e8ff421ef9b 100644 (file)
--- a/source4/scripting/python/samba/provision/descriptor.py
+++ b/source4/scripting/python/samba/provision/descriptor.py
@@ -153,6 +153,63 @@ def get_domain_infrastructure_descriptor(domain_sid):
      sec = security.descriptor.from_sddl(sddl, domain_sid)
      return ndr_pack(sec)
  
+def get_domain_builtin_descriptor(domain_sid):
+    sddl = "D:" \
+    "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+    "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+    "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+    "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+    "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+    "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \
+    "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)" \
+    "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)" \
+    "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)" \
+    "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)" \
+    "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \
+    "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+    "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+    "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+    "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+    "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+    "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;IF)" \
+    "(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)" \
+    "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)" \
+    "(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+    "(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)" \
+    "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \
+    "(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)" \
+    "(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)" \
+    "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+    "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+    "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+    "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+    "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)" \
+    "(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)" \
+    "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \
+    "(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \
+    "(A;;RPRC;;;RU)" \
+    "(A;CI;LC;;;RU)" \
+    "(A;CI;RPWPCRCCLCLORCWOWDSDSW;;;BA)" \
+    "(A;;RP;;;WD)" \
+    "(A;;RPLCLORC;;;ED)" \
+    "(A;;RPLCLORC;;;AU)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+    "S:" \
+    "(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \
+    "(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \
+    "(AU;SA;CR;;;DU)" \
+    "(AU;SA;CR;;;BA)" \
+    "(AU;SA;WPWOWD;;;WD)"
+    sec = security.descriptor.from_sddl(sddl, domain_sid)
+    return ndr_pack(sec)
+
  def get_dns_partition_descriptor(domainsid):
      sddl = "O:SYG:BAD:AI" \
      "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif

index 0dcb7d41cd370332aae5c99a7357000803089571..5d20189de296056828c457cf9f6eab4314379898 100644 (file)
--- a/source4/setup/provision.ldif
+++ b/source4/setup/provision.ldif
@@ -24,6 +24,7 @@ serverState: 1
  showInAdvancedViewOnly: FALSE
  systemFlags: -1946157056
  uASCompat: 1
+nTSecurityDescriptor:: ${BUILTIN_DESCRIPTOR}
  
  dn: CN=Deleted Objects,${DOMAINDN}
  objectClass: top
author	Stefan Metzmacher <metze@samba.org>
	Mon, 10 Dec 2012 10:32:07 +0000 (11:32 +0100)
committer	Michael Adam <obnox@samba.org>
	Tue, 11 Dec 2012 04:04:44 +0000 (05:04 +0100)
source4/scripting/python/samba/provision/__init__.py		patch \| blob \| history
source4/scripting/python/samba/provision/descriptor.py		patch \| blob \| history
source4/setup/provision.ldif		patch \| blob \| history