s4:provision: set the correct nTSecurityDescriptor on CN=Partitions,CN=Configuration...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py
index c3713c90570787b194cebff6054288348fe290f7..63b1bd004db1550b7cd1dd8f6c8864ad45ecf9b5 100644 (file)
--- a/source4/scripting/python/samba/provision/__init__.py
+++ b/source4/scripting/python/samba/provision/__init__.py
@@ -79,6 +79,7 @@ from samba.provision.backend import (
 from samba.provision.descriptor import (
     get_empty_descriptor,
     get_config_descriptor,
+    get_config_partitions_descriptor,
     get_domain_descriptor
     )
 from samba.provision.common import (
@@ -1255,6 +1256,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
         # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
         if fill == FILL_FULL:
             logger.info("Setting up sam.ldb configuration data")
+            partitions_descr = b64encode(get_config_partitions_descriptor(domainsid))
             setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), {
                     "CONFIGDN": names.configdn,
                     "NETBIOSNAME": names.netbiosname,
@@ -1266,6 +1268,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
                     "SERVERDN": names.serverdn,
                     "FOREST_FUNCTIONALITY": str(forestFunctionality),
                     "DOMAIN_FUNCTIONALITY": str(domainFunctionality),
+                    "PARTITIONS_DESCRIPTOR": partitions_descr,
                     })
 
             logger.info("Setting up display specifiers")

diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py
index 3bb2468262950777feaf1109443d503cd1ce8d94..dd1f62f86c0c8e0e9515787698fc6668ca6fe8ba 100644 (file)
--- a/source4/scripting/python/samba/provision/descriptor.py
+++ b/source4/scripting/python/samba/provision/descriptor.py
@@ -57,6 +57,23 @@ def get_config_descriptor(domain_sid):
     sec = security.descriptor.from_sddl(sddl, domain_sid)
     return ndr_pack(sec)
 
+def get_config_partitions_descriptor(domain_sid):
+    sddl = "D:" \
+    "(A;;LCLORC;;;AU)" \
+    "(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)" \
+    "(OA;;RP;d31a8757-2447-4545-8081-3bb610cacbf2;;AU)" \
+    "(OA;;RP;66171887-8f3c-11d0-afda-00c04fd930c9;;AU)" \
+    "(OA;;RP;032160bf-9824-11d1-aec0-0000f80367c1;;AU)" \
+    "(OA;;RP;789ee1eb-8c8e-4e4c-8cec-79b31b7617b5;;AU)" \
+    "(OA;;RP;5706aeaf-b940-4fb2-bcfc-5268683ad9fe;;AU)" \
+    "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+    "(A;;CC;;;ED)" \
+    "(OA;CIIO;WP;3df793df-9858-4417-a701-735a1ecebf74;bf967a8d-0de6-11d0-a285-00aa003049e2;BA)" \
+    "S:" \
+    "(AU;CISA;WPCRCCDCWOWDSDDT;;;WD)"
+    sec = security.descriptor.from_sddl(sddl, domain_sid)
+    return ndr_pack(sec)
 
 def get_domain_descriptor(domain_sid):
     sddl= "O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \

diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif
index 9fab2b567204a765958eb687c4b07de32ce3271d..cb5a251f7ffbb3389578c817d4a1dec2af1fdbd1 100644 (file)
--- a/source4/setup/provision_configuration.ldif
+++ b/source4/setup/provision_configuration.ldif
@@ -1018,6 +1018,7 @@ objectClass: crossRefContainer
 systemFlags: -2147483648
 msDS-Behavior-Version: ${FOREST_FUNCTIONALITY}
 showInAdvancedViewOnly: TRUE
+nTSecurityDescriptor:: ${PARTITIONS_DESCRIPTOR}
 
 # Partitions for DNS are missing here, they are added from provision_dnszones.ldif