Attachment 16855 Details for Bug 13595 – WIP patches for master

[patch] WIP patches for master

tmp.security.patches (text/plain), 10.17 KB, created by Stefan Metzmacher on 2021-10-19 15:17:57 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Stefan Metzmacher

Created: 2021-10-19 15:17:57 UTC

Size: 10.17 KB

patch

obsolete

>From 2942b9f9ced222bff45c26066421e5af3380f1fd Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Fri, 29 Jan 2016 23:30:59 +0100
>Subject: [PATCH 1/4] python:descriptor: add get_deletedobjects_descriptor()
>
>samba-tool drs clone-dc-database was quite useful to find
>the true value of nTSecurityDescriptor of the CN=Delete Objects
>containers.
>
>Only the auto inherited SACL is available via a ldap search.
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>---
> python/samba/descriptor.py | 7 +++++++
> 1 file changed, 7 insertions(+)
>
>diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py
>index 099834819922..b9db7cb4a1ca 100644
>--- a/python/samba/descriptor.py
>+++ b/python/samba/descriptor.py
>@@ -52,6 +52,13 @@ def get_empty_descriptor(domain_sid, name_map={}):
> # "get_schema_descriptor" is located in "schema.py"
> 
> 
>+def get_deletedobjects_descriptor(domain_sid, name_map={}):
>+    sddl = "O:SYG:SYD:PAI" \
>+        "(A;;RPWPCCDCLCRCWOWDSDSW;;;SY)" \
>+        "(A;;RPLC;;;BA)"
>+    return sddl2binary(sddl, domain_sid, name_map)
>+
>+
> def get_config_descriptor(domain_sid, name_map={}):
>     sddl = "O:EAG:EAD:(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
>            "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
>-- 
>2.25.1
>
>
>From 6b84d6d9e742b5327ff6e93bd6e45ff65773acb3 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Fri, 29 Jan 2016 23:33:37 +0100
>Subject: [PATCH 2/4] python:provision: make DELETEDOBJECTS_DESCRIPTOR
> available in the ldif files
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>---
> python/samba/provision/__init__.py | 5 +++++
> python/samba/provision/sambadns.py | 4 ++++
> 2 files changed, 9 insertions(+)
>
>diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
>index 1723d9935d41..bacb172a09ad 100644
>--- a/python/samba/provision/__init__.py
>+++ b/python/samba/provision/__init__.py
>@@ -79,6 +79,7 @@ from samba.provision.backend import (
> )
> from samba.descriptor import (
>     get_empty_descriptor,
>+    get_deletedobjects_descriptor,
>     get_config_descriptor,
>     get_config_partitions_descriptor,
>     get_config_sites_descriptor,
>@@ -1441,6 +1442,8 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
>     msg["subRefs"] = ldb.MessageElement(names.configdn, ldb.FLAG_MOD_ADD,
>                                         "subRefs")
> 
>+    deletedobjects_descr = b64encode(get_deletedobjects_descriptor(names.domainsid)).decode('utf8')
>+
>     samdb.invocation_id = invocationid
> 
>     # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
>@@ -1472,6 +1475,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
>                 "FOREST_FUNCTIONALITY": str(forestFunctionality),
>                 "DOMAIN_FUNCTIONALITY": str(domainFunctionality),
>                 "NTDSQUOTAS_DESCRIPTOR": ntdsquotas_descr,
>+                "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr,
>                 "LOSTANDFOUND_DESCRIPTOR": protected1wd_descr,
>                 "SERVICES_DESCRIPTOR": protected1_descr,
>                 "PHYSICALLOCATIONS_DESCRIPTOR": protected1wd_descr,
>@@ -1536,6 +1540,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
>         "RIDAVAILABLESTART": str(next_rid + 600),
>         "POLICYGUID_DC": policyguid_dc,
>         "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc,
>+        "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr,
>         "LOSTANDFOUND_DESCRIPTOR": lostandfound_desc,
>         "SYSTEM_DESCRIPTOR": system_desc,
>         "BUILTIN_DESCRIPTOR": builtin_desc,
>diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py
>index 6823f9ee56b6..8eb24e49270c 100644
>--- a/python/samba/provision/sambadns.py
>+++ b/python/samba/provision/sambadns.py
>@@ -42,6 +42,7 @@ from samba.dsdb import (
>     DS_GUID_USERS_CONTAINER
> )
> from samba.descriptor import (
>+    get_deletedobjects_descriptor,
>     get_domain_descriptor,
>     get_domain_delete_protected1_descriptor,
>     get_domain_delete_protected2_descriptor,
>@@ -256,6 +257,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
>     domainzone_dn = "DC=DomainDnsZones,%s" % domaindn
>     forestzone_dn = "DC=ForestDnsZones,%s" % forestdn
>     descriptor = get_dns_partition_descriptor(domainsid)
>+    deletedobjects_desc = get_deletedobjects_descriptor(domainsid)
> 
>     setup_add_ldif(samdb, setup_path("provision_dnszones_partitions.ldif"), {
>         "ZONE_DN": domainzone_dn,
>@@ -279,6 +281,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
>         "ZONE_DNS": domainzone_dns,
>         "CONFIGDN": configdn,
>         "SERVERDN": serverdn,
>+        "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8'),
>         "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'),
>         "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'),
>     })
>@@ -299,6 +302,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
>             "ZONE_DNS": forestzone_dns,
>             "CONFIGDN": configdn,
>             "SERVERDN": serverdn,
>+            "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8'),
>             "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'),
>             "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'),
>         })
>-- 
>2.25.1
>
>
>From 716c3c379303174a854c3a9d03bdfcd4b01dd77c Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Fri, 29 Jan 2016 23:34:15 +0100
>Subject: [PATCH 3/4] s4:setup: set the currect nTSecurityDescriptor on the
> CN=Deleted Objects container
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>---
> source4/setup/provision.ldif               | 1 +
> source4/setup/provision_configuration.ldif | 1 +
> source4/setup/provision_dnszones_add.ldif  | 1 +
> 3 files changed, 3 insertions(+)
>
>diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif
>index 5d9eba49f86f..7f966fd57f81 100644
>--- a/source4/setup/provision.ldif
>+++ b/source4/setup/provision.ldif
>@@ -34,6 +34,7 @@ isDeleted: TRUE
> isCriticalSystemObject: TRUE
> showInAdvancedViewOnly: TRUE
> systemFlags: -1946157056
>+nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR}
> 
> # Computers located in "provision_computers*.ldif"
> # Users/Groups located in "provision_users*.ldif"
>diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif
>index 53c9c8536de4..8fcbddbdae48 100644
>--- a/source4/setup/provision_configuration.ldif
>+++ b/source4/setup/provision_configuration.ldif
>@@ -14,6 +14,7 @@ description: Container for deleted objects
> isDeleted: TRUE
> isCriticalSystemObject: TRUE
> systemFlags: -1946157056
>+nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR}
> 
> # Extended rights
> 
>diff --git a/source4/setup/provision_dnszones_add.ldif b/source4/setup/provision_dnszones_add.ldif
>index 860aa4b72b30..a2d6b6bab8f2 100644
>--- a/source4/setup/provision_dnszones_add.ldif
>+++ b/source4/setup/provision_dnszones_add.ldif
>@@ -8,6 +8,7 @@ description: Deleted objects
> isDeleted: TRUE
> isCriticalSystemObject: TRUE
> systemFlags: -1946157056
>+nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR}
> 
> dn: CN=LostAndFound,${ZONE_DN}
> objectClass: top
>-- 
>2.25.1
>
>
>From 26b41319828402d9e8874f268b2352012dc75a2d Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Fri, 29 Jan 2016 23:35:31 +0100
>Subject: [PATCH 4/4] python:descriptor: let samba-tool dbcheck fix the
> nTSecurityDescriptor on CN=Deleted Objects containers
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>---
> python/samba/descriptor.py | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
>diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py
>index b9db7cb4a1ca..1b3d0b53fdcd 100644
>--- a/python/samba/descriptor.py
>+++ b/python/samba/descriptor.py
>@@ -414,6 +414,7 @@ def get_wellknown_sds(samdb):
>     # Then subcontainers
>     subcontainers = [
>         (ldb.Dn(samdb, "%s" % str(samdb.domain_dn())), get_domain_descriptor),
>+        (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(samdb.domain_dn())), get_deletedobjects_descriptor),
>         (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(samdb.domain_dn())), get_domain_delete_protected2_descriptor),
>         (ldb.Dn(samdb, "CN=System,%s" % str(samdb.domain_dn())), get_domain_delete_protected1_descriptor),
>         (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(samdb.domain_dn())), get_domain_infrastructure_descriptor),
>@@ -424,6 +425,7 @@ def get_wellknown_sds(samdb):
>         (ldb.Dn(samdb, "CN=MicrosoftDNS,CN=System,%s" % str(samdb.domain_dn())), get_dns_domain_microsoft_dns_descriptor),
> 
>         (ldb.Dn(samdb, "%s" % str(samdb.get_config_basedn())), get_config_descriptor),
>+        (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(samdb.get_config_basedn())), get_deletedobjects_descriptor),
>         (ldb.Dn(samdb, "CN=NTDS Quotas,%s" % str(samdb.get_config_basedn())), get_config_ntds_quotas_descriptor),
>         (ldb.Dn(samdb, "CN=LostAndFoundConfig,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1wd_descriptor),
>         (ldb.Dn(samdb, "CN=Services,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1_descriptor),
>@@ -448,6 +450,9 @@ def get_wellknown_sds(samdb):
>         if ldb.Dn(samdb, nc.decode('utf8')) == dnsforestdn:
>             c = (ldb.Dn(samdb, "%s" % str(dnsforestdn)), get_dns_partition_descriptor)
>             subcontainers.append(c)
>+            c = (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(dnsforestdn)),
>+                 get_deletedobjects_descriptor),
>+            subcontainers.append(c)
>             c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsforestdn)),
>                  get_domain_delete_protected1_descriptor)
>             subcontainers.append(c)
>@@ -463,6 +468,9 @@ def get_wellknown_sds(samdb):
>         if ldb.Dn(samdb, nc.decode('utf8')) == dnsdomaindn:
>             c = (ldb.Dn(samdb, "%s" % str(dnsdomaindn)), get_dns_partition_descriptor)
>             subcontainers.append(c)
>+            c = (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(dnsdomaindn)),
>+                 get_deletedobjects_descriptor),
>+            subcontainers.append(c)
>             c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsdomaindn)),
>                  get_domain_delete_protected1_descriptor)
>             subcontainers.append(c)
>-- 
>2.25.1
>

Actions: View

Attachments on bug 13595: 14456 | 14477 | 16855 | 18160 | 18161 | 18166 | 18167 | 18168