From 2942b9f9ced222bff45c26066421e5af3380f1fd Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 29 Jan 2016 23:30:59 +0100 Subject: [PATCH 1/4] python:descriptor: add get_deletedobjects_descriptor() samba-tool drs clone-dc-database was quite useful to find the true value of nTSecurityDescriptor of the CN=Delete Objects containers. Only the auto inherited SACL is available via a ldap search. Signed-off-by: Stefan Metzmacher --- python/samba/descriptor.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py index 099834819922..b9db7cb4a1ca 100644 --- a/python/samba/descriptor.py +++ b/python/samba/descriptor.py @@ -52,6 +52,13 @@ def get_empty_descriptor(domain_sid, name_map={}): # "get_schema_descriptor" is located in "schema.py" +def get_deletedobjects_descriptor(domain_sid, name_map={}): + sddl = "O:SYG:SYD:PAI" \ + "(A;;RPWPCCDCLCRCWOWDSDSW;;;SY)" \ + "(A;;RPLC;;;BA)" + return sddl2binary(sddl, domain_sid, name_map) + + def get_config_descriptor(domain_sid, name_map={}): sddl = "O:EAG:EAD:(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ -- 2.25.1 From 6b84d6d9e742b5327ff6e93bd6e45ff65773acb3 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 29 Jan 2016 23:33:37 +0100 Subject: [PATCH 2/4] python:provision: make DELETEDOBJECTS_DESCRIPTOR available in the ldif files Signed-off-by: Stefan Metzmacher --- python/samba/provision/__init__.py | 5 +++++ python/samba/provision/sambadns.py | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py index 1723d9935d41..bacb172a09ad 100644 --- a/python/samba/provision/__init__.py +++ b/python/samba/provision/__init__.py @@ -79,6 +79,7 @@ from samba.provision.backend import ( ) from samba.descriptor import ( get_empty_descriptor, + get_deletedobjects_descriptor, get_config_descriptor, get_config_partitions_descriptor, get_config_sites_descriptor, @@ -1441,6 +1442,8 @@ def fill_samdb(samdb, lp, names, logger, policyguid, msg["subRefs"] = ldb.MessageElement(names.configdn, ldb.FLAG_MOD_ADD, "subRefs") + deletedobjects_descr = b64encode(get_deletedobjects_descriptor(names.domainsid)).decode('utf8') + samdb.invocation_id = invocationid # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it @@ -1472,6 +1475,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid, "FOREST_FUNCTIONALITY": str(forestFunctionality), "DOMAIN_FUNCTIONALITY": str(domainFunctionality), "NTDSQUOTAS_DESCRIPTOR": ntdsquotas_descr, + "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr, "LOSTANDFOUND_DESCRIPTOR": protected1wd_descr, "SERVICES_DESCRIPTOR": protected1_descr, "PHYSICALLOCATIONS_DESCRIPTOR": protected1wd_descr, @@ -1536,6 +1540,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid, "RIDAVAILABLESTART": str(next_rid + 600), "POLICYGUID_DC": policyguid_dc, "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc, + "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr, "LOSTANDFOUND_DESCRIPTOR": lostandfound_desc, "SYSTEM_DESCRIPTOR": system_desc, "BUILTIN_DESCRIPTOR": builtin_desc, diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py index 6823f9ee56b6..8eb24e49270c 100644 --- a/python/samba/provision/sambadns.py +++ b/python/samba/provision/sambadns.py @@ -42,6 +42,7 @@ from samba.dsdb import ( DS_GUID_USERS_CONTAINER ) from samba.descriptor import ( + get_deletedobjects_descriptor, get_domain_descriptor, get_domain_delete_protected1_descriptor, get_domain_delete_protected2_descriptor, @@ -256,6 +257,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn, domainzone_dn = "DC=DomainDnsZones,%s" % domaindn forestzone_dn = "DC=ForestDnsZones,%s" % forestdn descriptor = get_dns_partition_descriptor(domainsid) + deletedobjects_desc = get_deletedobjects_descriptor(domainsid) setup_add_ldif(samdb, setup_path("provision_dnszones_partitions.ldif"), { "ZONE_DN": domainzone_dn, @@ -279,6 +281,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn, "ZONE_DNS": domainzone_dns, "CONFIGDN": configdn, "SERVERDN": serverdn, + "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8'), "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'), "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'), }) @@ -299,6 +302,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn, "ZONE_DNS": forestzone_dns, "CONFIGDN": configdn, "SERVERDN": serverdn, + "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8'), "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'), "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'), }) -- 2.25.1 From 716c3c379303174a854c3a9d03bdfcd4b01dd77c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 29 Jan 2016 23:34:15 +0100 Subject: [PATCH 3/4] s4:setup: set the currect nTSecurityDescriptor on the CN=Deleted Objects container Signed-off-by: Stefan Metzmacher --- source4/setup/provision.ldif | 1 + source4/setup/provision_configuration.ldif | 1 + source4/setup/provision_dnszones_add.ldif | 1 + 3 files changed, 3 insertions(+) diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif index 5d9eba49f86f..7f966fd57f81 100644 --- a/source4/setup/provision.ldif +++ b/source4/setup/provision.ldif @@ -34,6 +34,7 @@ isDeleted: TRUE isCriticalSystemObject: TRUE showInAdvancedViewOnly: TRUE systemFlags: -1946157056 +nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR} # Computers located in "provision_computers*.ldif" # Users/Groups located in "provision_users*.ldif" diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif index 53c9c8536de4..8fcbddbdae48 100644 --- a/source4/setup/provision_configuration.ldif +++ b/source4/setup/provision_configuration.ldif @@ -14,6 +14,7 @@ description: Container for deleted objects isDeleted: TRUE isCriticalSystemObject: TRUE systemFlags: -1946157056 +nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR} # Extended rights diff --git a/source4/setup/provision_dnszones_add.ldif b/source4/setup/provision_dnszones_add.ldif index 860aa4b72b30..a2d6b6bab8f2 100644 --- a/source4/setup/provision_dnszones_add.ldif +++ b/source4/setup/provision_dnszones_add.ldif @@ -8,6 +8,7 @@ description: Deleted objects isDeleted: TRUE isCriticalSystemObject: TRUE systemFlags: -1946157056 +nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR} dn: CN=LostAndFound,${ZONE_DN} objectClass: top -- 2.25.1 From 26b41319828402d9e8874f268b2352012dc75a2d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 29 Jan 2016 23:35:31 +0100 Subject: [PATCH 4/4] python:descriptor: let samba-tool dbcheck fix the nTSecurityDescriptor on CN=Deleted Objects containers Signed-off-by: Stefan Metzmacher --- python/samba/descriptor.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py index b9db7cb4a1ca..1b3d0b53fdcd 100644 --- a/python/samba/descriptor.py +++ b/python/samba/descriptor.py @@ -414,6 +414,7 @@ def get_wellknown_sds(samdb): # Then subcontainers subcontainers = [ (ldb.Dn(samdb, "%s" % str(samdb.domain_dn())), get_domain_descriptor), + (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(samdb.domain_dn())), get_deletedobjects_descriptor), (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(samdb.domain_dn())), get_domain_delete_protected2_descriptor), (ldb.Dn(samdb, "CN=System,%s" % str(samdb.domain_dn())), get_domain_delete_protected1_descriptor), (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(samdb.domain_dn())), get_domain_infrastructure_descriptor), @@ -424,6 +425,7 @@ def get_wellknown_sds(samdb): (ldb.Dn(samdb, "CN=MicrosoftDNS,CN=System,%s" % str(samdb.domain_dn())), get_dns_domain_microsoft_dns_descriptor), (ldb.Dn(samdb, "%s" % str(samdb.get_config_basedn())), get_config_descriptor), + (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(samdb.get_config_basedn())), get_deletedobjects_descriptor), (ldb.Dn(samdb, "CN=NTDS Quotas,%s" % str(samdb.get_config_basedn())), get_config_ntds_quotas_descriptor), (ldb.Dn(samdb, "CN=LostAndFoundConfig,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1wd_descriptor), (ldb.Dn(samdb, "CN=Services,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1_descriptor), @@ -448,6 +450,9 @@ def get_wellknown_sds(samdb): if ldb.Dn(samdb, nc.decode('utf8')) == dnsforestdn: c = (ldb.Dn(samdb, "%s" % str(dnsforestdn)), get_dns_partition_descriptor) subcontainers.append(c) + c = (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(dnsforestdn)), + get_deletedobjects_descriptor), + subcontainers.append(c) c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsforestdn)), get_domain_delete_protected1_descriptor) subcontainers.append(c) @@ -463,6 +468,9 @@ def get_wellknown_sds(samdb): if ldb.Dn(samdb, nc.decode('utf8')) == dnsdomaindn: c = (ldb.Dn(samdb, "%s" % str(dnsdomaindn)), get_dns_partition_descriptor) subcontainers.append(c) + c = (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(dnsdomaindn)), + get_deletedobjects_descriptor), + subcontainers.append(c) c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsdomaindn)), get_domain_delete_protected1_descriptor) subcontainers.append(c) -- 2.25.1