get_domain_builtin_descriptor,
get_domain_computers_descriptor,
get_domain_users_descriptor,
+ get_domain_controllers_descriptor
)
from samba.provision.common import (
setup_path,
logger.info("Setting up sam.ldb data")
infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(domainsid))
builtin_desc = b64encode(get_domain_builtin_descriptor(domainsid))
+ controllers_desc = b64encode(get_domain_controllers_descriptor(domainsid))
setup_add_ldif(samdb, setup_path("provision.ldif"), {
"CREATTIME": str(samba.unix2nttime(int(time.time()))),
"DOMAINDN": names.domaindn,
"POLICYGUID_DC": policyguid_dc,
"INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc,
"BUILTIN_DESCRIPTOR": builtin_desc,
+ "DOMAIN_CONTROLLERS_DESCRIPTOR": controllers_desc,
})
# If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
sec = security.descriptor.from_sddl(sddl, domain_sid)
return ndr_pack(sec)
+def get_domain_controllers_descriptor(domain_sid):
+ sddl = "D:" \
+ "(A;;RPLCLORC;;;AU)" \
+ "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \
+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+ "(A;;RPLCLORC;;;ED)" \
+ "S:" \
+ "(AU;SA;CCDCWOWDSDDT;;;WD)" \
+ "(AU;CISA;WP;;;WD)"
+ sec = security.descriptor.from_sddl(sddl, domain_sid)
+ return ndr_pack(sec)
+
def get_dns_partition_descriptor(domainsid):
sddl = "O:SYG:BAD:AI" \
"(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
isCriticalSystemObject: TRUE
showInAdvancedViewOnly: FALSE
gPLink: [LDAP://CN={${POLICYGUID_DC}},CN=Policies,CN=System,${DOMAINDN};0]
+nTSecurityDescriptor:: ${DOMAIN_CONTROLLERS_DESCRIPTOR}
# Joined DC located in "provision_self_join.ldif"