s4:provision: set the correct nTSecurityDescriptor on CN=Computers,... (bug #9481)

author Stefan Metzmacher <metze@samba.org>

Mon, 10 Dec 2012 10:32:07 +0000 (11:32 +0100)

committer Michael Adam <obnox@samba.org>

Tue, 11 Dec 2012 04:04:48 +0000 (05:04 +0100)
author Stefan Metzmacher <metze@samba.org>
Mon, 10 Dec 2012 10:32:07 +0000 (11:32 +0100)
committer Michael Adam <obnox@samba.org>
Tue, 11 Dec 2012 04:04:48 +0000 (05:04 +0100)
diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py

index a081cea495105640caca49b40bdd76a103605067..52dacdec32c42dfcb662d52ee602c505574733d7 100644 (file)
--- a/source4/scripting/python/samba/provision/__init__.py
+++ b/source4/scripting/python/samba/provision/__init__.py
@@ -84,6 +84,7 @@ from samba.provision.descriptor import (
      get_domain_descriptor,
      get_domain_infrastructure_descriptor,
      get_domain_builtin_descriptor,
+    get_domain_computers_descriptor,
      )
  from samba.provision.common import (
      setup_path,
@@ -1291,8 +1292,11 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
          setup_modify_ldif(samdb, setup_path("provision_users_modify.ldif"), {
                  "DOMAINDN": names.domaindn})
          logger.info("Adding computers container")
+        computers_desc = b64encode(get_domain_computers_descriptor(domainsid))
          setup_add_ldif(samdb, setup_path("provision_computers_add.ldif"), {
-                "DOMAINDN": names.domaindn})
+                "DOMAINDN": names.domaindn,
+                "COMPUTERS_DESCRIPTOR": computers_desc
+                })
          logger.info("Modifying computers container")
          setup_modify_ldif(samdb,
              setup_path("provision_computers_modify.ldif"), {
diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py

index d37e2cdeaf8803e77786342a35c33e8ff421ef9b..8d71969cfd5cf357be749bae478e3a0e7211a712 100644 (file)
--- a/source4/scripting/python/samba/provision/descriptor.py
+++ b/source4/scripting/python/samba/provision/descriptor.py
@@ -210,6 +210,20 @@ def get_domain_builtin_descriptor(domain_sid):
      sec = security.descriptor.from_sddl(sddl, domain_sid)
      return ndr_pack(sec)
  
+def get_domain_computers_descriptor(domain_sid):
+    sddl = "D:" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \
+    "(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)" \
+    "(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)" \
+    "(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)" \
+    "(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)" \
+    "(A;;RPLCLORC;;;AU)" \
+    "(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)" \
+    "S:"
+    sec = security.descriptor.from_sddl(sddl, domain_sid)
+    return ndr_pack(sec)
+
  def get_dns_partition_descriptor(domainsid):
      sddl = "O:SYG:BAD:AI" \
      "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
diff --git a/source4/setup/provision_computers_add.ldif b/source4/setup/provision_computers_add.ldif

index 6db3f4152413a4622eaede2229020b879adfb1e3..45e2aa423f3fd98623b18bc27a39eb1638d61701 100644 (file)
--- a/source4/setup/provision_computers_add.ldif
+++ b/source4/setup/provision_computers_add.ldif
@@ -1,3 +1,4 @@
  dn: CN=Computers,${DOMAINDN}
  objectClass: top
  objectClass: container
+nTSecurityDescriptor:: ${COMPUTERS_DESCRIPTOR}
author	Stefan Metzmacher <metze@samba.org>
	Mon, 10 Dec 2012 10:32:07 +0000 (11:32 +0100)
committer	Michael Adam <obnox@samba.org>
	Tue, 11 Dec 2012 04:04:48 +0000 (05:04 +0100)
source4/scripting/python/samba/provision/__init__.py		patch \| blob \| history
source4/scripting/python/samba/provision/descriptor.py		patch \| blob \| history
source4/setup/provision_computers_add.ldif		patch \| blob \| history