r8790: Finish the migration of aliases and privilages with SamSync, by adding
authorAndrew Bartlett <abartlet@samba.org>
Wed, 27 Jul 2005 00:23:09 +0000 (00:23 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 18:30:05 +0000 (13:30 -0500)
templating support for foreignSecurityPrincipals to the samdb module.
This is an extension beyond what microsoft does, and has been very
useful :-)

The setup scripts have been modified to use the new template, as has
the SAMR and LSA code.

Other cleanups in LSA remove the assumption that the short domain name
is the first component of the realm.

Also add a lot of useful debug messages, to make it clear how/why the
SamSync may have gone wrong.  Many of these should perhaps be hooked
into an error string.

Andrew Bartlett

source/libnet/libnet_samsync_ldb.c
source/rpc_server/lsa/dcesrv_lsa.c
source/rpc_server/samr/dcesrv_samr.c
source/scripting/libjs/provision.js
source/setup/provision
source/setup/provision.ldif
source/setup/provision_templates.ldif
source/setup/provision_users.ldif [new file with mode: 0644]

index 2414b2795f1b2f411543535a24119688cc8a3f2b..38d6d267b83eea034c6444b7b27e7bc30585202a 100644 (file)
@@ -5,6 +5,7 @@
 
    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
    Copyright (C) Andrew Tridgell 2004
+   Copyright (C) Volker Lendecke 2004
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -50,6 +51,56 @@ struct samsync_ldb_state {
        struct samsync_ldb_trusted_domain *trusted_domains;
 };
 
+static NTSTATUS samsync_ldb_add_foreignSecurityPrincipal(TALLOC_CTX *mem_ctx,
+                                                        struct samsync_ldb_state *state,
+                                                        struct dom_sid *sid,
+                                                        char **fsp_dn)
+{
+       const char *sidstr = dom_sid_string(mem_ctx, sid);
+       /* We assume that ForeignSecurityPrincipals are under the BASEDN of the main domain */
+       const char *basedn = samdb_search_string(state->sam_ldb, mem_ctx, state->base_dn[SAM_DATABASE_DOMAIN],
+                                                "dn",
+                                                "(&(objectClass=container)"
+                                                "(cn=ForeignSecurityPrincipals))");
+       struct ldb_message *msg;
+       int ret;
+
+       if (!sidstr) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       if (basedn == NULL) {
+               DEBUG(0, ("Failed to find DN for "
+                         "ForeignSecurityPrincipal container\n"));
+               return NT_STATUS_INTERNAL_DB_CORRUPTION;
+       }
+       
+       msg = ldb_msg_new(mem_ctx);
+       if (msg == NULL) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       /* add core elements to the ldb_message for the alias */
+       msg->dn = talloc_asprintf(mem_ctx, "CN=%s,%s", sidstr, basedn);
+       if (msg->dn == NULL)
+               return NT_STATUS_NO_MEMORY;
+       
+       samdb_msg_add_string(state->sam_ldb, mem_ctx, msg,
+                            "objectClass",
+                            "foreignSecurityPrincipal");
+
+       *fsp_dn = msg->dn;
+
+       /* create the alias */
+       ret = samdb_add(state->sam_ldb, mem_ctx, msg);
+       if (ret != 0) {
+               DEBUG(0,("Failed to create foreignSecurityPrincipal "
+                        "record %s: %s\n", msg->dn, ldb_errstring(state->sam_ldb)));
+               return NT_STATUS_INTERNAL_DB_CORRUPTION;
+       }
+       return NT_STATUS_OK;
+}
+
 static NTSTATUS samsync_ldb_handle_domain(TALLOC_CTX *mem_ctx,
                                          struct samsync_ldb_state *state,
                                          struct creds_CredentialState *creds,
@@ -178,6 +229,11 @@ static NTSTATUS samsync_ldb_handle_user(TALLOC_CTX *mem_ctx,
        } else if (ret == 0) {
                add = True;
        } else if (ret > 1) {
+               DEBUG(0, ("More than one user with SID: %s\n", 
+                         dom_sid_string(mem_ctx, 
+                                        dom_sid_add_rid(mem_ctx, 
+                                                        state->dom_sid[database], 
+                                                        rid))));
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
        } else {
                msg->dn = talloc_steal(msg, msgs[0]->dn);
@@ -317,10 +373,16 @@ static NTSTATUS samsync_ldb_delete_user(TALLOC_CTX *mem_ctx,
                           ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid))); 
 
        if (ret == -1) {
+               DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
        } else if (ret == 0) {
                return NT_STATUS_NO_SUCH_USER;
        } else if (ret > 1) {
+               DEBUG(0, ("More than one user with SID: %s\n", 
+                         dom_sid_string(mem_ctx, 
+                                        dom_sid_add_rid(mem_ctx, 
+                                                        state->dom_sid[database], 
+                                                        rid))));
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
        }
 
@@ -361,10 +423,16 @@ static NTSTATUS samsync_ldb_handle_group(TALLOC_CTX *mem_ctx,
                           ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid))); 
 
        if (ret == -1) {
+               DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
        } else if (ret == 0) {
                add = True;
        } else if (ret > 1) {
+               DEBUG(0, ("More than one group/alias with SID: %s\n", 
+                         dom_sid_string(mem_ctx, 
+                                        dom_sid_add_rid(mem_ctx, 
+                                                        state->dom_sid[database], 
+                                                        rid))));
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
        } else {
                msg->dn = talloc_steal(msg, msgs[0]->dn);
@@ -438,10 +506,16 @@ static NTSTATUS samsync_ldb_delete_group(TALLOC_CTX *mem_ctx,
                           ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid))); 
 
        if (ret == -1) {
+               DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
        } else if (ret == 0) {
                return NT_STATUS_NO_SUCH_GROUP;
        } else if (ret > 1) {
+               DEBUG(0, ("More than one group/alias with SID: %s\n", 
+                         dom_sid_string(mem_ctx, 
+                                        dom_sid_add_rid(mem_ctx, 
+                                                        state->dom_sid[database], 
+                                                        rid))));
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
        }
        
@@ -479,10 +553,16 @@ static NTSTATUS samsync_ldb_handle_group_member(TALLOC_CTX *mem_ctx,
                           ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid))); 
 
        if (ret == -1) {
+               DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
        } else if (ret == 0) {
                return NT_STATUS_NO_SUCH_GROUP;
        } else if (ret > 1) {
+               DEBUG(0, ("More than one group/alias with SID: %s\n", 
+                         dom_sid_string(mem_ctx, 
+                                        dom_sid_add_rid(mem_ctx, 
+                                                        state->dom_sid[database], 
+                                                        rid))));
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
        } else {
                msg->dn = talloc_steal(msg, msgs[0]->dn);
@@ -497,6 +577,7 @@ static NTSTATUS samsync_ldb_handle_group_member(TALLOC_CTX *mem_ctx,
                                   ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], group_member->rids[i]))); 
 
                if (ret == -1) {
+                       DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
                        return NT_STATUS_INTERNAL_DB_CORRUPTION;
                } else if (ret == 0) {
                        return NT_STATUS_NO_SUCH_USER;
@@ -546,10 +627,16 @@ static NTSTATUS samsync_ldb_handle_alias(TALLOC_CTX *mem_ctx,
                           ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid))); 
 
        if (ret == -1) {
+               DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
        } else if (ret == 0) {
                add = True;
        } else if (ret > 1) {
+               DEBUG(0, ("More than one group/alias with SID: %s\n", 
+                         dom_sid_string(mem_ctx, 
+                                        dom_sid_add_rid(mem_ctx, 
+                                                        state->dom_sid[database], 
+                                                        rid))));
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
        } else {
                msg->dn = talloc_steal(mem_ctx, msgs[0]->dn);
@@ -625,6 +712,7 @@ static NTSTATUS samsync_ldb_delete_alias(TALLOC_CTX *mem_ctx,
                           ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid))); 
 
        if (ret == -1) {
+               DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
        } else if (ret == 0) {
                return NT_STATUS_NO_SUCH_ALIAS;
@@ -666,10 +754,16 @@ static NTSTATUS samsync_ldb_handle_alias_member(TALLOC_CTX *mem_ctx,
                           ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid))); 
 
        if (ret == -1) {
+               DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
        } else if (ret == 0) {
                return NT_STATUS_NO_SUCH_GROUP;
        } else if (ret > 1) {
+               DEBUG(0, ("More than one group/alias with SID: %s\n", 
+                         dom_sid_string(mem_ctx, 
+                                        dom_sid_add_rid(mem_ctx, 
+                                                        state->dom_sid[database], 
+                                                        rid))));
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
        } else {
                msg->dn = talloc_steal(msg, msgs[0]->dn);
@@ -678,20 +772,29 @@ static NTSTATUS samsync_ldb_handle_alias_member(TALLOC_CTX *mem_ctx,
        talloc_free(msgs);
 
        for (i=0; i<alias_member->sids.num_sids; i++) {
-               /* search for the group, by rid */
-               ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[database], &msgs, attrs,
+               char *alias_member_dn;
+               /* search for members, in the top basedn (normal users are builtin aliases) */
+               ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[SAM_DATABASE_DOMAIN], &msgs, attrs,
                                   "(objectSid=%s)", 
                                   ldap_encode_ndr_dom_sid(mem_ctx, alias_member->sids.sids[i].sid)); 
 
                if (ret == -1) {
+                       DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
                        return NT_STATUS_INTERNAL_DB_CORRUPTION;
                } else if (ret == 0) {
-                       return NT_STATUS_NO_SUCH_USER;
-               } else if (ret > 1) {
+                       NTSTATUS nt_status;
+                       nt_status = samsync_ldb_add_foreignSecurityPrincipal(mem_ctx, state,
+                                                                            alias_member->sids.sids[i].sid, 
+                                                                            &alias_member_dn);
+                       if (!NT_STATUS_IS_OK(nt_status)) {
+                               return nt_status;
+                       }
+               } else if (ret > 1) {
                        return NT_STATUS_INTERNAL_DB_CORRUPTION;
                } else {
-                       samdb_msg_add_string(state->sam_ldb, mem_ctx, msg, "member", msgs[0]->dn);
+                       alias_member_dn = msgs[0]->dn;
                }
+               samdb_msg_add_string(state->sam_ldb, mem_ctx, msg, "member", alias_member_dn);
        
                talloc_free(msgs);
        }
@@ -716,6 +819,7 @@ static NTSTATUS samsync_ldb_handle_account(TALLOC_CTX *mem_ctx,
 
        struct ldb_message *msg;
        struct ldb_message **msgs;
+       char *privilage_dn;
        int ret;
        const char *attrs[] = { NULL };
        int i;
@@ -725,20 +829,32 @@ static NTSTATUS samsync_ldb_handle_account(TALLOC_CTX *mem_ctx,
                return NT_STATUS_NO_MEMORY;
        }
 
-       /* search for the account, by sid */
-       ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[database], &msgs, attrs,
+       /* search for the account, by sid, in the top basedn */
+       ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[SAM_DATABASE_DOMAIN], &msgs, attrs,
                           "(objectSid=%s)", ldap_encode_ndr_dom_sid(mem_ctx, sid)); 
 
        if (ret == -1) {
+               DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
        } else if (ret == 0) {
-               return NT_STATUS_NO_SUCH_USER;
+               NTSTATUS nt_status;
+               nt_status = samsync_ldb_add_foreignSecurityPrincipal(mem_ctx, state,
+                                                                    sid,
+                                                                    &privilage_dn);
+               privilage_dn = talloc_steal(msg, privilage_dn);
+               if (!NT_STATUS_IS_OK(nt_status)) {
+                       return nt_status;
+               }
        } else if (ret > 1) {
+               DEBUG(0, ("More than one account with SID: %s\n", 
+                         dom_sid_string(mem_ctx, sid)));
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
        } else {
-               msg->dn = talloc_steal(msg, msgs[0]->dn);
+               privilage_dn = talloc_steal(msg, msgs[0]->dn);
        }
 
+       msg->dn = privilage_dn;
+
        for (i=0; i< account->privilege_entries; i++) {
                samdb_msg_add_string(state->sam_ldb, mem_ctx, msg, "privilage",
                                     account->privilege_name[i].string);
@@ -771,16 +887,19 @@ static NTSTATUS samsync_ldb_delete_account(TALLOC_CTX *mem_ctx,
                return NT_STATUS_NO_MEMORY;
        }
 
-       /* search for the account, by sid */
-       ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[database], &msgs, attrs,
+       /* search for the account, by sid, in the top basedn */
+       ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[SAM_DATABASE_DOMAIN], &msgs, attrs,
                           "(objectSid=%s)", 
                           ldap_encode_ndr_dom_sid(mem_ctx, sid)); 
 
        if (ret == -1) {
+               DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
        } else if (ret == 0) {
                return NT_STATUS_NO_SUCH_USER;
        } else if (ret > 1) {
+               DEBUG(0, ("More than one account with SID: %s\n", 
+                         dom_sid_string(mem_ctx, sid)));
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
        } else {
                msg->dn = talloc_steal(msg, msgs[0]->dn);
index 78973776f1a48b3f252404129911d6535f17f4d5..85f94712ba089f70b013101aa789d8c3ecc25f19 100644 (file)
@@ -220,6 +220,9 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
                                     struct lsa_policy_state **_state)
 {
        struct lsa_policy_state *state;
+       const char *domain_attrs[] =  {"nETBIOSName", "nCName", NULL};
+       int ret_domain;
+       struct ldb_message **msgs_domain;
 
        state = talloc(mem_ctx, struct lsa_policy_state);
        if (!state) {
@@ -237,36 +240,47 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
                return NT_STATUS_INVALID_SYSTEM_SERVICE;
        }
 
+       ret_domain = gendb_search(state->sam_ldb, mem_ctx, NULL, &msgs_domain, domain_attrs,
+                                 "(&(&(nETBIOSName=%s)(objectclass=crossRef))(ncName=*))", 
+                                 lp_workgroup());
+       
+       if (ret_domain == -1) {
+               return NT_STATUS_INTERNAL_DB_CORRUPTION;
+       }
+               
+       if (ret_domain != 1) {
+               return NT_STATUS_NO_SUCH_DOMAIN;                
+       }
+
        /* work out the domain_dn - useful for so many calls its worth
           fetching here */
-       state->domain_dn = talloc_reference(state, 
-                                           samdb_search_string(state->sam_ldb, mem_ctx, NULL,
-                                                               "dn", "(&(objectClass=domain)(!(objectclass=builtinDomain)))"));
+       state->domain_dn = talloc_steal(state, samdb_result_string(msgs_domain[0], "nCName", NULL));
        if (!state->domain_dn) {
                return NT_STATUS_NO_SUCH_DOMAIN;                
        }
 
        /* work out the builtin_dn - useful for so many calls its worth
           fetching here */
-       state->builtin_dn = talloc_reference(state, 
-                                            samdb_search_string(state->sam_ldb, mem_ctx, NULL,
-                                               "dn", "objectClass=builtinDomain"));
+       state->builtin_dn = talloc_steal(state, 
+                                        samdb_search_string(state->sam_ldb, mem_ctx, NULL,
+                                                            "dn", "objectClass=builtinDomain"));
        if (!state->builtin_dn) {
                return NT_STATUS_NO_SUCH_DOMAIN;                
        }
 
        /* work out the system_dn - useful for so many calls its worth
           fetching here */
-       state->system_dn = talloc_reference(state, 
-                                            samdb_search_string(state->sam_ldb, mem_ctx, state->domain_dn,
-                                              "dn", "(&(objectClass=container)(cn=System))"));
+       state->system_dn = talloc_steal(state, 
+                                       samdb_search_string(state->sam_ldb, mem_ctx, state->domain_dn,
+                                                           "dn", "(&(objectClass=container)(cn=System))"));
        if (!state->system_dn) {
                return NT_STATUS_NO_SUCH_DOMAIN;                
        }
 
-       state->domain_sid = samdb_search_dom_sid(state->sam_ldb, state,
-                                                state->domain_dn, "objectSid", 
-                                                "dn=%s", state->domain_dn);
+       state->domain_sid = talloc_steal(state, 
+                                        samdb_search_dom_sid(state->sam_ldb, state,
+                                                             state->domain_dn, "objectSid", 
+                                                             "dn=%s", state->domain_dn));
        if (!state->domain_sid) {
                return NT_STATUS_NO_SUCH_DOMAIN;                
        }
@@ -276,13 +290,9 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
                return NT_STATUS_NO_SUCH_DOMAIN;                
        }
 
-       state->domain_name = talloc_reference(state, 
-                                             samdb_search_string(state->sam_ldb, mem_ctx,
-                                                                 state->domain_dn, "name", 
-                                                                 "dn=%s", state->domain_dn));
-       if (!state->domain_name) {
-               return NT_STATUS_NO_SUCH_DOMAIN;                
-       }
+       state->domain_name = talloc_strdup(state, 
+                                          samdb_result_string(msgs_domain[0], "nETBIOSName", 
+                                                              lp_workgroup()));
 
        *_state = state;
 
@@ -619,14 +629,6 @@ static NTSTATUS lsa_CreateTrustedDomain(struct dcesrv_call_state *dce_call, TALL
                samdb_msg_add_string(trusted_domain_state->policy->sam_ldb, mem_ctx, msg, "securityIdentifier", sid_string);
        }
 
-       /* pull in all the template attributes. */
-       ret = samdb_copy_template(trusted_domain_state->policy->sam_ldb, mem_ctx, msg, 
-                                 "(&(name=TemplateTrustedDomain)(objectclass=trustedDomainTemplate))");
-       if (ret != 0) {
-               DEBUG(0,("Failed to load TemplateTrustedDomain from samdb\n"));
-               return NT_STATUS_INTERNAL_DB_CORRUPTION;
-       }
-
        samdb_msg_add_string(trusted_domain_state->policy->sam_ldb, mem_ctx, msg, "objectClass", "trustedDomain");
        
        trusted_domain_state->trusted_domain_dn = talloc_reference(trusted_domain_state, msg->dn);
index 3cda88c04c32f05b8efdbcb8ecc4f7b493eea8f4..26593d16975ff47c7bb9f88aca8628e01abf463b 100644 (file)
@@ -747,7 +747,7 @@ static NTSTATUS samr_CreateUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX
        a_state->domain_state = talloc_reference(a_state, d_state);
        a_state->account_dn = talloc_steal(a_state, msg->dn);
 
-       /* retrieve the sid for the group just created */
+       /* retrieve the sid for the user just created */
        sid = samdb_search_dom_sid(d_state->sam_ctx, a_state,
                                   msg->dn, "objectSid", "dn=%s", msg->dn);
        if (sid == NULL) {
@@ -907,7 +907,7 @@ static NTSTATUS samr_CreateDomAlias(struct dcesrv_call_state *dce_call, TALLOC_C
        /* Check if alias already exists */
        name = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL,
                                   "sAMAccountName",
-                                  "(&pAMAccountName=%s)(objectclass=group))",
+                                  "(sAMAccountName=%s)(objectclass=group))",
                                   alias_name);
 
        if (name != NULL) {
@@ -2040,17 +2040,6 @@ static NTSTATUS samr_AddAliasMember(struct dcesrv_call_state *dce_call, TALLOC_C
                        return NT_STATUS_NO_MEMORY;
                }
 
-               /* pull in all the template attributes */
-               ret = samdb_copy_template(d_state->sam_ctx, mem_ctx, msg, 
-                                         "(&(name=TemplateForeignSecurityPrincipal)"
-                                         "(objectclass=foreignSecurityPrincipalTemplate))");
-               if (ret != 0) {
-                       DEBUG(0,("Failed to load "
-                                "TemplateForeignSecurityPrincipal "
-                                "from samdb\n"));
-                       return NT_STATUS_INTERNAL_DB_CORRUPTION;
-               }
-
                /* TODO: Hmmm. This feels wrong. How do I find the base dn to
                 * put the ForeignSecurityPrincipals? d_state->domain_dn does
                 * not work, this is wrong for the Builtin domain, there's no
@@ -2075,14 +2064,10 @@ static NTSTATUS samr_AddAliasMember(struct dcesrv_call_state *dce_call, TALLOC_C
 
                memberdn = msg->dn;
 
-               samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg,
-                                    "name", sidstr);
                samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg,
                                     "objectClass",
                                     "foreignSecurityPrincipal");
-               samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg,
-                                    "objectSid", sidstr);
-               
+
                /* create the alias */
                ret = samdb_add(d_state->sam_ctx, mem_ctx, msg);
                if (ret != 0) {
@@ -3256,7 +3241,7 @@ static NTSTATUS samr_GetDomPwInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX
        struct ldb_message **msgs;
        int ret;
        const char * const attrs[] = {"minPwdLength", "pwdProperties", NULL };
-       void *sam_ctx;
+       struct ldb_context *sam_ctx;
 
        ZERO_STRUCT(r->out.info);
 
@@ -3267,8 +3252,7 @@ static NTSTATUS samr_GetDomPwInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX
 
        ret = gendb_search(sam_ctx, 
                           mem_ctx, NULL, &msgs, attrs, 
-                          "(&(name=%s)(objectclass=domain))",
-                          lp_workgroup());
+                          "(&(!(objectClass=builtinDomain))(objectclass=domain))");
        if (ret <= 0) {
                return NT_STATUS_NO_SUCH_DOMAIN;
        }
index b6a7c5978b5e82b343b60b33908a62e1c53be5f8..0bcb2fa761e4a69977104729ef510e16d42afb79 100644 (file)
@@ -56,19 +56,10 @@ function add_foreign(str, sid, desc, unixname)
 dn: CN=${SID},CN=ForeignSecurityPrincipals,${BASEDN}
 objectClass: top
 objectClass: foreignSecurityPrincipal
-cn: ${SID}
 description: ${DESC}
-instanceType: 4
-whenCreated: ${LDAPTIME}
-whenChanged: ${LDAPTIME}
+unixName: ${UNIXNAME}
 uSNCreated: 1
 uSNChanged: 1
-showInAdvancedViewOnly: TRUE
-name: ${SID}
-objectGUID: ${NEWGUID}
-objectSid: ${SID}
-objectCategory: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,${BASEDN}
-unixName: ${UNIXNAME}
 ";
        var sub = new Object();
        sub.SID = sid;
@@ -212,7 +203,7 @@ function setup_file(template, fname, subobj)
 /*
   provision samba4 - caution, this wipes all existing data!
 */
-function provision(subobj, message)
+function provision(subobj, message, blank)
 {
        var data = "";
        var lp = loadparm_init();
@@ -249,7 +240,11 @@ function provision(subobj, message)
        message("Setting up sam.ldb templates\n");
        setup_ldb("provision_templates.ldif", "sam.ldb", subobj, NULL, false);
        message("Setting up sam.ldb data\n");
-       setup_ldb("provision.ldif", "sam.ldb", subobj, data, false);
+       setup_ldb("provision.ldif", "sam.ldb", subobj, NULL, false);
+       if (blank == false) {
+               message("Setting up sam.ldb users and groups\n");
+               setup_ldb("provision_users.ldif", "sam.ldb", subobj, data, false);
+       }
        message("Setting up rootdse.ldb\n");
        setup_ldb("rootdse.ldif", "rootdse.ldb", subobj);
        message("Setting up secrets.ldb\n");
index 90363fcf20848e9e53bc802114fa30edde729900..dc542f59f042fb398a1dd807994c33366f54367e 100755 (executable)
@@ -27,7 +27,8 @@ ok = GetOptions(ARGV, options,
                'nogroup=s',
                'wheel=s',
                'users=s',
-               'quiet');
+               'quiet',
+                'blank');
 if (ok == false) {
    println("Failed to parse options: " + options.ERROR);
    return -1;
@@ -72,6 +73,7 @@ provision [options]
  --wheel       GROUPNAME       choose 'wheel' privileged group
  --users       GROUPNAME       choose 'users' group
  --quiet                       Be quiet
+ --blank                       do not add users or groups, just the structure
 
 You must provide at least a realm and domain
 
@@ -106,6 +108,6 @@ for (r in options) {
 
 message("Provisioning for %s in realm %s\n", subobj.DOMAIN, subobj.REALM);
 message("Using administrator password: %s\n", subobj.ADMINPASS);
-provision(subobj, message);
+provision(subobj, message, options["blank"] != undefined);
 message("All OK\n");
 return 0;
index 01dbc6366aa03345020cc3fc73f03547bcd68471..b2d0848946f850307ba39b0ed281beae15c83cfe 100644 (file)
@@ -23,6 +23,7 @@ nextRid: 1001
 pwdProperties: 1
 pwdHistoryLength: 24
 objectSid: ${DOMAINSID}
+oEMInformation: Provisioned by Samba4: ${LDAPTIME}
 serverState: 1
 nTMixedDomain: 1
 msDS-Behavior-Version: 0
@@ -172,464 +173,6 @@ modifiedCount: 1
 objectCategory: CN=Builtin-Domain,CN=Schema,CN=Configuration,${BASEDN}
 isCriticalSystemObject: TRUE
 
-dn: CN=Administrator,CN=Users,${BASEDN}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: user
-cn: Administrator
-description: Built-in account for administering the computer/domain
-uSNCreated: 1
-memberOf: CN=Group Policy Creator Owners,CN=Users,${BASEDN}
-memberOf: CN=Domain Admins,CN=Users,${BASEDN}
-memberOf: CN=Enterprise Admins,CN=Users,${BASEDN}
-memberOf: CN=Schema Admins,CN=Users,${BASEDN}
-memberOf: CN=Administrators,CN=Builtin,${BASEDN}
-uSNChanged: 1
-userAccountControl: 0x10200
-objectSid: ${DOMAINSID}-500
-adminCount: 1
-accountExpires: -1
-sAMAccountName: Administrator
-isCriticalSystemObject: TRUE
-unicodePwd: ${ADMINPASS}
-unixName: ${ROOT}
-
-dn: CN=Guest,CN=Users,${BASEDN}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: user
-cn: Guest
-description: Built-in account for guest access to the computer/domain
-uSNCreated: 1
-memberOf: CN=Guests,CN=Builtin,${BASEDN}
-uSNChanged: 1
-userAccountControl: 0x10222
-primaryGroupID: 514
-objectSid: ${DOMAINSID}-501
-sAMAccountName: Guest
-isCriticalSystemObject: TRUE
-
-dn: CN=Administrators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Administrators
-description: Administrators have complete and unrestricted access to the computer/domain
-member: CN=Domain Admins,CN=Users,${BASEDN}
-member: CN=Enterprise Admins,CN=Users,${BASEDN}
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-544
-adminCount: 1
-sAMAccountName: Administrators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
-privilege: SeSecurityPrivilege
-privilege: SeBackupPrivilege
-privilege: SeRestorePrivilege
-privilege: SeSystemtimePrivilege
-privilege: SeShutdownPrivilege
-privilege: SeRemoteShutdownPrivilege
-privilege: SeTakeOwnershipPrivilege
-privilege: SeDebugPrivilege
-privilege: SeSystemEnvironmentPrivilege
-privilege: SeSystemProfilePrivilege
-privilege: SeProfileSingleProcessPrivilege
-privilege: SeIncreaseBasePriorityPrivilege
-privilege: SeLoadDriverPrivilege
-privilege: SeCreatePagefilePrivilege
-privilege: SeIncreaseQuotaPrivilege
-privilege: SeChangeNotifyPrivilege
-privilege: SeUndockPrivilege
-privilege: SeManageVolumePrivilege
-privilege: SeImpersonatePrivilege
-privilege: SeCreateGlobalPrivilege
-privilege: SeEnableDelegationPrivilege
-privilege: SeInteractiveLogonRight
-privilege: SeNetworkLogonRight
-privilege: SeRemoteInteractiveLogonRight
-
-
-dn: CN=Users,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Users
-description: Users are prevented from making accidental or intentional system-wide changes.  Thus, Users can run certified applications, but not most legacy applications
-member: CN=Domain Users,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-545
-sAMAccountName: Users
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Guests,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Guests
-description: Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
-member: CN=Domain Guests,CN=Users,${BASEDN}
-member: CN=Guest,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-546
-sAMAccountName: Guests
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-unixName: ${NOGROUP}
-
-dn: CN=Print Operators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Print Operators
-description: Members can administer domain printers
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-550
-adminCount: 1
-sAMAccountName: Print Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-privilege: SeLoadDriverPrivilege
-privilege: SeShutdownPrivilege
-privilege: SeInteractiveLogonRight
-
-dn: CN=Backup Operators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Backup Operators
-description: Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-551
-adminCount: 1
-sAMAccountName: Backup Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-privilege: SeBackupPrivilege
-privilege: SeRestorePrivilege
-privilege: SeShutdownPrivilege
-privilege: SeInteractiveLogonRight
-
-dn: CN=Replicator,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Replicator
-description: Supports file replication in a domain
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-552
-adminCount: 1
-sAMAccountName: Replicator
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Remote Desktop Users,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Remote Desktop Users
-description: Members in this group are granted the right to logon remotely
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-555
-sAMAccountName: Remote Desktop Users
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Network Configuration Operators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Network Configuration Operators
-description: Members in this group can have some administrative privileges to manage configuration of networking features
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-556
-sAMAccountName: Network Configuration Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Performance Monitor Users,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Performance Monitor Users
-description: Members of this group have remote access to monitor this computer
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-558
-sAMAccountName: Performance Monitor Users
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Performance Log Users,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Performance Log Users
-description: Members of this group have remote access to schedule logging of performance counters on this computer
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-559
-sAMAccountName: Performance Log Users
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=${NETBIOSNAME},OU=Domain Controllers,${BASEDN}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: computer
-cn: ${NETBIOSNAME}
-uSNCreated: 1
-uSNChanged: 1
-objectGUID: ${HOSTGUID}
-userAccountControl: 532480
-lastLogon: 127273269057298624
-localPolicyFlags: 0
-pwdLastSet: 127258826171655328
-primaryGroupID: 516
-objectSid: ${DOMAINSID}-1000
-accountExpires: 9223372036854775807
-sAMAccountName: ${NETBIOSNAME}$
-sAMAccountType: 805306369
-operatingSystem: Samba
-operatingSystemVersion: 4.0
-dNSHostName: ${DNSNAME}
-isCriticalSystemObject: TRUE
-unicodePwd: ${MACHINEPASS}
-servicePrincipalName: HOST/${DNSNAME}
-servicePrincipalName: HOST/${NETBIOSNAME}
-msDS-KeyVersionNumber: 1
-
-dn: CN=krbtgt,CN=Users,${BASEDN}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: user
-cn: krbtgt
-description: Key Distribution Center Service Account
-uSNCreated: 1
-uSNChanged: 1
-showInAdvancedViewOnly: TRUE
-userAccountControl: 514
-pwdLastSet: 127258826179466560
-objectSid: ${DOMAINSID}-502
-adminCount: 1
-accountExpires: 9223372036854775807
-sAMAccountName: krbtgt
-sAMAccountType: 805306368
-servicePrincipalName: kadmin/changepw
-isCriticalSystemObject: TRUE
-unicodePwd: ${KRBTGTPASS}
-
-dn: CN=Domain Computers,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Domain Computers
-description: All workstations and servers joined to the domain
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-515
-sAMAccountName: Domain Computers
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Domain Controllers,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Domain Controllers
-description: All domain controllers in the domain
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-516
-adminCount: 1
-sAMAccountName: Domain Controllers
-isCriticalSystemObject: TRUE
-
-dn: CN=Schema Admins,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Schema Admins
-description: Designated administrators of the schema
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-518
-adminCount: 1
-sAMAccountName: Schema Admins
-isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
-
-dn: CN=Enterprise Admins,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Enterprise Admins
-description: Designated administrators of the enterprise
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-memberOf: CN=Administrators,CN=Builtin,${BASEDN}
-uSNChanged: 1
-objectSid: ${DOMAINSID}-519
-adminCount: 1
-sAMAccountName: Enterprise Admins
-isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
-
-dn: CN=Cert Publishers,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Cert Publishers
-description: Members of this group are permitted to publish certificates to the Active Directory
-uSNCreated: 1
-uSNChanged: 1
-groupType: 0x80000004
-sAMAccountType: 0x20000000
-objectSid: ${DOMAINSID}-517
-sAMAccountName: Cert Publishers
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Domain Admins,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Domain Admins
-description: Designated administrators of the domain
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-memberOf: CN=Administrators,CN=Builtin,${BASEDN}
-uSNChanged: 1
-objectSid: ${DOMAINSID}-512
-adminCount: 1
-sAMAccountName: Domain Admins
-isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
-
-dn: CN=Domain Users,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Domain Users
-description: All domain users
-uSNCreated: 1
-memberOf: CN=Users,CN=Builtin,${BASEDN}
-uSNChanged: 1
-objectSid: ${DOMAINSID}-513
-sAMAccountName: Domain Users
-isCriticalSystemObject: TRUE
-unixName: ${USERS}
-
-dn: CN=Domain Guests,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Domain Guests
-description: All domain guests
-uSNCreated: 1
-memberOf: CN=Guests,CN=Builtin,${BASEDN}
-uSNChanged: 1
-objectSid: ${DOMAINSID}-514
-sAMAccountName: Domain Guests
-isCriticalSystemObject: TRUE
-
-dn: CN=Group Policy Creator Owners,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Group Policy Creator Owners
-description: Members in this group can modify group policy for the domain
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-520
-sAMAccountName: Group Policy Creator Owners
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
-
-dn: CN=RAS and IAS Servers,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: RAS and IAS Servers
-description: Servers in this group can access remote access properties of users
-instanceType: 4
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-553
-sAMAccountName: RAS and IAS Servers
-sAMAccountType: 0x20000000
-groupType: 0x80000004
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Server Operators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Server Operators
-description: Members can administer domain servers
-instanceType: 4
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-549
-adminCount: 1
-sAMAccountName: Server Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-privilege: SeBackupPrivilege
-privilege: SeSystemtimePrivilege
-privilege: SeRemoteShutdownPrivilege
-privilege: SeRestorePrivilege
-privilege: SeShutdownPrivilege
-privilege: SeInteractiveLogonRight
-
-dn: CN=Account Operators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Account Operators
-description: Members can administer domain user and group accounts
-instanceType: 4
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-548
-adminCount: 1
-sAMAccountName: Account Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-privilege: SeInteractiveLogonRight
-
 ###############################
 # Configuration Naming Context
 ###############################
index 9a045d2afc080524f37dcbbf9fb2ab77870a3e68..3693f46558b30e5822e8d7f20103eb1359240069 100644 (file)
@@ -121,6 +121,9 @@ objectClass: top
 objectClass: Template
 objectClass: foreignSecurityPrincipalTemplate
 cn: TemplateForeignSecurityPrincipal
+instanceType: 4
+showInAdvancedViewOnly: TRUE
+objectCategory: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,${BASEDN}
 
 dn: CN=TemplateSecret,CN=Templates,${BASEDN}
 objectClass: top
diff --git a/source/setup/provision_users.ldif b/source/setup/provision_users.ldif
new file mode 100644 (file)
index 0000000..2e420b2
--- /dev/null
@@ -0,0 +1,459 @@
+dn: CN=Administrator,CN=Users,${BASEDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+cn: Administrator
+description: Built-in account for administering the computer/domain
+uSNCreated: 1
+memberOf: CN=Group Policy Creator Owners,CN=Users,${BASEDN}
+memberOf: CN=Domain Admins,CN=Users,${BASEDN}
+memberOf: CN=Enterprise Admins,CN=Users,${BASEDN}
+memberOf: CN=Schema Admins,CN=Users,${BASEDN}
+memberOf: CN=Administrators,CN=Builtin,${BASEDN}
+uSNChanged: 1
+userAccountControl: 0x10200
+objectSid: ${DOMAINSID}-500
+adminCount: 1
+accountExpires: -1
+sAMAccountName: Administrator
+isCriticalSystemObject: TRUE
+unicodePwd: ${ADMINPASS}
+unixName: ${ROOT}
+
+dn: CN=Guest,CN=Users,${BASEDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+cn: Guest
+description: Built-in account for guest access to the computer/domain
+uSNCreated: 1
+memberOf: CN=Guests,CN=Builtin,${BASEDN}
+uSNChanged: 1
+userAccountControl: 0x10222
+primaryGroupID: 514
+objectSid: ${DOMAINSID}-501
+sAMAccountName: Guest
+isCriticalSystemObject: TRUE
+
+dn: CN=Administrators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Administrators
+description: Administrators have complete and unrestricted access to the computer/domain
+member: CN=Domain Admins,CN=Users,${BASEDN}
+member: CN=Enterprise Admins,CN=Users,${BASEDN}
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-544
+adminCount: 1
+sAMAccountName: Administrators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+privilege: SeSecurityPrivilege
+privilege: SeBackupPrivilege
+privilege: SeRestorePrivilege
+privilege: SeSystemtimePrivilege
+privilege: SeShutdownPrivilege
+privilege: SeRemoteShutdownPrivilege
+privilege: SeTakeOwnershipPrivilege
+privilege: SeDebugPrivilege
+privilege: SeSystemEnvironmentPrivilege
+privilege: SeSystemProfilePrivilege
+privilege: SeProfileSingleProcessPrivilege
+privilege: SeIncreaseBasePriorityPrivilege
+privilege: SeLoadDriverPrivilege
+privilege: SeCreatePagefilePrivilege
+privilege: SeIncreaseQuotaPrivilege
+privilege: SeChangeNotifyPrivilege
+privilege: SeUndockPrivilege
+privilege: SeManageVolumePrivilege
+privilege: SeImpersonatePrivilege
+privilege: SeCreateGlobalPrivilege
+privilege: SeEnableDelegationPrivilege
+privilege: SeInteractiveLogonRight
+privilege: SeNetworkLogonRight
+privilege: SeRemoteInteractiveLogonRight
+
+
+dn: CN=${NETBIOSNAME},OU=Domain Controllers,${BASEDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: computer
+cn: ${NETBIOSNAME}
+uSNCreated: 1
+uSNChanged: 1
+objectGUID: ${HOSTGUID}
+userAccountControl: 532480
+lastLogon: 127273269057298624
+localPolicyFlags: 0
+pwdLastSet: 127258826171655328
+primaryGroupID: 516
+objectSid: ${DOMAINSID}-1000
+accountExpires: 9223372036854775807
+sAMAccountName: ${NETBIOSNAME}$
+sAMAccountType: 805306369
+operatingSystem: Samba
+operatingSystemVersion: 4.0
+dNSHostName: ${DNSNAME}
+isCriticalSystemObject: TRUE
+unicodePwd: ${MACHINEPASS}
+servicePrincipalName: HOST/${DNSNAME}
+servicePrincipalName: HOST/${NETBIOSNAME}
+msDS-KeyVersionNumber: 1
+
+
+dn: CN=Users,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Users
+description: Users are prevented from making accidental or intentional system-wide changes.  Thus, Users can run certified applications, but not most legacy applications
+member: CN=Domain Users,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-545
+sAMAccountName: Users
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Guests,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Guests
+description: Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
+member: CN=Domain Guests,CN=Users,${BASEDN}
+member: CN=Guest,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-546
+sAMAccountName: Guests
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+unixName: ${NOGROUP}
+
+dn: CN=Print Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Print Operators
+description: Members can administer domain printers
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-550
+adminCount: 1
+sAMAccountName: Print Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+privilege: SeLoadDriverPrivilege
+privilege: SeShutdownPrivilege
+privilege: SeInteractiveLogonRight
+
+dn: CN=Backup Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Backup Operators
+description: Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-551
+adminCount: 1
+sAMAccountName: Backup Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+privilege: SeBackupPrivilege
+privilege: SeRestorePrivilege
+privilege: SeShutdownPrivilege
+privilege: SeInteractiveLogonRight
+
+dn: CN=Replicator,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Replicator
+description: Supports file replication in a domain
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-552
+adminCount: 1
+sAMAccountName: Replicator
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Remote Desktop Users,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Remote Desktop Users
+description: Members in this group are granted the right to logon remotely
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-555
+sAMAccountName: Remote Desktop Users
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Network Configuration Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Network Configuration Operators
+description: Members in this group can have some administrative privileges to manage configuration of networking features
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-556
+sAMAccountName: Network Configuration Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Performance Monitor Users,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Performance Monitor Users
+description: Members of this group have remote access to monitor this computer
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-558
+sAMAccountName: Performance Monitor Users
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Performance Log Users,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Performance Log Users
+description: Members of this group have remote access to schedule logging of performance counters on this computer
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-559
+sAMAccountName: Performance Log Users
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=krbtgt,CN=Users,${BASEDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+cn: krbtgt
+description: Key Distribution Center Service Account
+uSNCreated: 1
+uSNChanged: 1
+showInAdvancedViewOnly: TRUE
+userAccountControl: 514
+pwdLastSet: 127258826179466560
+objectSid: ${DOMAINSID}-502
+adminCount: 1
+accountExpires: 9223372036854775807
+sAMAccountName: krbtgt
+sAMAccountType: 805306368
+servicePrincipalName: kadmin/changepw
+isCriticalSystemObject: TRUE
+unicodePwd: ${KRBTGTPASS}
+
+dn: CN=Domain Computers,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Computers
+description: All workstations and servers joined to the domain
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-515
+sAMAccountName: Domain Computers
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Domain Controllers,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Controllers
+description: All domain controllers in the domain
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-516
+adminCount: 1
+sAMAccountName: Domain Controllers
+isCriticalSystemObject: TRUE
+
+dn: CN=Schema Admins,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Schema Admins
+description: Designated administrators of the schema
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-518
+adminCount: 1
+sAMAccountName: Schema Admins
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+
+dn: CN=Enterprise Admins,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Enterprise Admins
+description: Designated administrators of the enterprise
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+memberOf: CN=Administrators,CN=Builtin,${BASEDN}
+uSNChanged: 1
+objectSid: ${DOMAINSID}-519
+adminCount: 1
+sAMAccountName: Enterprise Admins
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+
+dn: CN=Cert Publishers,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Cert Publishers
+description: Members of this group are permitted to publish certificates to the Active Directory
+uSNCreated: 1
+uSNChanged: 1
+groupType: 0x80000004
+sAMAccountType: 0x20000000
+objectSid: ${DOMAINSID}-517
+sAMAccountName: Cert Publishers
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Domain Admins,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Admins
+description: Designated administrators of the domain
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+memberOf: CN=Administrators,CN=Builtin,${BASEDN}
+uSNChanged: 1
+objectSid: ${DOMAINSID}-512
+adminCount: 1
+sAMAccountName: Domain Admins
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+
+dn: CN=Domain Users,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Users
+description: All domain users
+uSNCreated: 1
+memberOf: CN=Users,CN=Builtin,${BASEDN}
+uSNChanged: 1
+objectSid: ${DOMAINSID}-513
+sAMAccountName: Domain Users
+isCriticalSystemObject: TRUE
+unixName: ${USERS}
+
+dn: CN=Domain Guests,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Guests
+description: All domain guests
+uSNCreated: 1
+memberOf: CN=Guests,CN=Builtin,${BASEDN}
+uSNChanged: 1
+objectSid: ${DOMAINSID}-514
+sAMAccountName: Domain Guests
+isCriticalSystemObject: TRUE
+
+dn: CN=Group Policy Creator Owners,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Group Policy Creator Owners
+description: Members in this group can modify group policy for the domain
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-520
+sAMAccountName: Group Policy Creator Owners
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+
+dn: CN=RAS and IAS Servers,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: RAS and IAS Servers
+description: Servers in this group can access remote access properties of users
+instanceType: 4
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-553
+sAMAccountName: RAS and IAS Servers
+sAMAccountType: 0x20000000
+groupType: 0x80000004
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Server Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Server Operators
+description: Members can administer domain servers
+instanceType: 4
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-549
+adminCount: 1
+sAMAccountName: Server Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+privilege: SeBackupPrivilege
+privilege: SeSystemtimePrivilege
+privilege: SeRemoteShutdownPrivilege
+privilege: SeRestorePrivilege
+privilege: SeShutdownPrivilege
+privilege: SeInteractiveLogonRight
+
+dn: CN=Account Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Account Operators
+description: Members can administer domain user and group accounts
+instanceType: 4
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-548
+adminCount: 1
+sAMAccountName: Account Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+privilege: SeInteractiveLogonRight
+