From 75729e6703c5b5dff7feefed590086898fc03c74 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 11 Dec 2012 02:00:38 +0100 Subject: [PATCH 01/10] libcli/security: implement object_in_list() Signed-off-by: Stefan Metzmacher Reviewed-by: Michael Adam --- libcli/security/create_descriptor.c | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c index 0cac2e4..1456d84 100644 --- a/libcli/security/create_descriptor.c +++ b/libcli/security/create_descriptor.c @@ -80,9 +80,30 @@ uint32_t map_generic_rights_ds(uint32_t access_mask) * and it does not seem to have any influence */ static bool object_in_list(struct GUID *object_list, struct GUID *object) { - return true; + size_t i; + + if (object_list == NULL) { + return true; + } + + if (GUID_all_zero(object)) { + return true; + } + + for (i=0; ; i++) { + if (GUID_all_zero(&object_list[i])) { + return false; + } + if (!GUID_equal(&object_list[i], object)) { + continue; + } + + return true; + } + + return false; } - + /* returns true if the ACE gontains generic information * that needs to be processed additionally */ -- 1.7.9.5 From d20c46a520a7e39dd87476cd81edab56b5543892 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 11 Dec 2012 03:17:42 +0100 Subject: [PATCH 02/10] libcli/security: calculate the correct inherited_object GUID Signed-off-by: Stefan Metzmacher Reviewed-by: Michael Adam --- libcli/security/create_descriptor.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c index 1456d84..42ca1a7 100644 --- a/libcli/security/create_descriptor.c +++ b/libcli/security/create_descriptor.c @@ -186,7 +186,13 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx, if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT || ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) { - if (!object_in_list(object_list, &ace->object.object.type.type)) { + struct GUID inherited_object = GUID_zero(); + + if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) { + inherited_object = ace->object.object.inherited_type.inherited_type; + } + + if (!object_in_list(object_list, &inherited_object)) { tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY; } -- 1.7.9.5 From a97b5f219678e409a851d9caf8317a6ef130c12f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 11 Dec 2012 02:01:12 +0100 Subject: [PATCH 03/10] s4:dsdb/descriptor: pass object_list to create_security_descriptor() Signed-off-by: Stefan Metzmacher Reviewed-by: Michael Adam --- source4/dsdb/samdb/ldb_modules/descriptor.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c index 192c745..fb100f7 100644 --- a/source4/dsdb/samdb/ldb_modules/descriptor.c +++ b/source4/dsdb/samdb/ldb_modules/descriptor.c @@ -249,9 +249,15 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module, struct dom_sid *default_owner; struct dom_sid *default_group; struct security_descriptor *default_descriptor = NULL; + struct GUID *object_list = NULL; if (objectclass != NULL) { default_descriptor = get_sd_unpacked(module, mem_ctx, objectclass); + object_list = talloc_zero_array(mem_ctx, struct GUID, 2); + if (object_list == NULL) { + return NULL; + } + object_list[0] = objectclass->schemaIDGUID; } if (object) { @@ -370,8 +376,13 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module, default_owner = get_default_ag(mem_ctx, dn, session_info->security_token, ldb); default_group = get_default_group(mem_ctx, ldb, default_owner); - new_sd = create_security_descriptor(mem_ctx, parent_descriptor, user_descriptor, true, - NULL, SEC_DACL_AUTO_INHERIT|SEC_SACL_AUTO_INHERIT, + new_sd = create_security_descriptor(mem_ctx, + parent_descriptor, + user_descriptor, + true, + object_list, + SEC_DACL_AUTO_INHERIT | + SEC_SACL_AUTO_INHERIT, session_info->security_token, default_owner, default_group, map_generic_rights_ds); -- 1.7.9.5 From 649fb5b61492562f1400996a6ccf33af17af5b6b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 10 Dec 2012 11:32:07 +0100 Subject: [PATCH 04/10] s4:provision: set the correct nTSecurityDescriptor on CN=Partitions,CN=Configuration... (bug #9481) Signed-off-by: Stefan Metzmacher Reviewed-by: Michael Adam --- .../scripting/python/samba/provision/__init__.py | 3 +++ .../scripting/python/samba/provision/descriptor.py | 17 +++++++++++++++++ source4/setup/provision_configuration.ldif | 1 + 3 files changed, 21 insertions(+) diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index c3713c9..63b1bd0 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -79,6 +79,7 @@ from samba.provision.backend import ( from samba.provision.descriptor import ( get_empty_descriptor, get_config_descriptor, + get_config_partitions_descriptor, get_domain_descriptor ) from samba.provision.common import ( @@ -1255,6 +1256,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it if fill == FILL_FULL: logger.info("Setting up sam.ldb configuration data") + partitions_descr = b64encode(get_config_partitions_descriptor(domainsid)) setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), { "CONFIGDN": names.configdn, "NETBIOSNAME": names.netbiosname, @@ -1266,6 +1268,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, "SERVERDN": names.serverdn, "FOREST_FUNCTIONALITY": str(forestFunctionality), "DOMAIN_FUNCTIONALITY": str(domainFunctionality), + "PARTITIONS_DESCRIPTOR": partitions_descr, }) logger.info("Setting up display specifiers") diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py index 3bb2468..dd1f62f 100644 --- a/source4/scripting/python/samba/provision/descriptor.py +++ b/source4/scripting/python/samba/provision/descriptor.py @@ -57,6 +57,23 @@ def get_config_descriptor(domain_sid): sec = security.descriptor.from_sddl(sddl, domain_sid) return ndr_pack(sec) +def get_config_partitions_descriptor(domain_sid): + sddl = "D:" \ + "(A;;LCLORC;;;AU)" \ + "(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)" \ + "(OA;;RP;d31a8757-2447-4545-8081-3bb610cacbf2;;AU)" \ + "(OA;;RP;66171887-8f3c-11d0-afda-00c04fd930c9;;AU)" \ + "(OA;;RP;032160bf-9824-11d1-aec0-0000f80367c1;;AU)" \ + "(OA;;RP;789ee1eb-8c8e-4e4c-8cec-79b31b7617b5;;AU)" \ + "(OA;;RP;5706aeaf-b940-4fb2-bcfc-5268683ad9fe;;AU)" \ + "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \ + "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ + "(A;;CC;;;ED)" \ + "(OA;CIIO;WP;3df793df-9858-4417-a701-735a1ecebf74;bf967a8d-0de6-11d0-a285-00aa003049e2;BA)" \ + "S:" \ + "(AU;CISA;WPCRCCDCWOWDSDDT;;;WD)" + sec = security.descriptor.from_sddl(sddl, domain_sid) + return ndr_pack(sec) def get_domain_descriptor(domain_sid): sddl= "O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif index 9fab2b5..cb5a251 100644 --- a/source4/setup/provision_configuration.ldif +++ b/source4/setup/provision_configuration.ldif @@ -1018,6 +1018,7 @@ objectClass: crossRefContainer systemFlags: -2147483648 msDS-Behavior-Version: ${FOREST_FUNCTIONALITY} showInAdvancedViewOnly: TRUE +nTSecurityDescriptor:: ${PARTITIONS_DESCRIPTOR} # Partitions for DNS are missing here, they are added from provision_dnszones.ldif -- 1.7.9.5 From 999c068113af6158355634eb9a9c4b5a4d3066d8 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 10 Dec 2012 11:32:07 +0100 Subject: [PATCH 05/10] s4:provision: set the correct nTSecurityDescriptor on CN=Sites,CN=Configuration... (bug #9481) Signed-off-by: Stefan Metzmacher Reviewed-by: Michael Adam --- .../scripting/python/samba/provision/__init__.py | 3 +++ .../scripting/python/samba/provision/descriptor.py | 15 +++++++++++++++ source4/setup/provision_configuration.ldif | 1 + 3 files changed, 19 insertions(+) diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index 63b1bd0..5e80d63 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -80,6 +80,7 @@ from samba.provision.descriptor import ( get_empty_descriptor, get_config_descriptor, get_config_partitions_descriptor, + get_config_sites_descriptor, get_domain_descriptor ) from samba.provision.common import ( @@ -1257,6 +1258,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, if fill == FILL_FULL: logger.info("Setting up sam.ldb configuration data") partitions_descr = b64encode(get_config_partitions_descriptor(domainsid)) + sites_descr = b64encode(get_config_sites_descriptor(domainsid)) setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), { "CONFIGDN": names.configdn, "NETBIOSNAME": names.netbiosname, @@ -1269,6 +1271,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, "FOREST_FUNCTIONALITY": str(forestFunctionality), "DOMAIN_FUNCTIONALITY": str(domainFunctionality), "PARTITIONS_DESCRIPTOR": partitions_descr, + "SITES_DESCRIPTOR": sites_descr, }) logger.info("Setting up display specifiers") diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py index dd1f62f..2deb550 100644 --- a/source4/scripting/python/samba/provision/descriptor.py +++ b/source4/scripting/python/samba/provision/descriptor.py @@ -75,6 +75,21 @@ def get_config_partitions_descriptor(domain_sid): sec = security.descriptor.from_sddl(sddl, domain_sid) return ndr_pack(sec) +def get_config_sites_descriptor(domain_sid): + sddl = "D:" \ + "(A;;RPLCLORC;;;AU)" \ + "(OA;CIIO;SW;d31a8757-2447-4545-8081-3bb610cacbf2;f0f8ffab-1191-11d0-a060-00aa006c33ed;ER)" \ + "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \ + "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ + "S:" \ + "(AU;CISA;CCDCSDDT;;;WD)" \ + "(OU;CIIOSA;CR;;f0f8ffab-1191-11d0-a060-00aa006c33ed;WD)" \ + "(OU;CIIOSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)" \ + "(OU;CIIOSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)" \ + "(OU;CIIOSA;WP;3e10944c-c354-11d0-aff8-0000f80367c1;b7b13124-b82e-11d0-afee-0000f80367c1;WD)" + sec = security.descriptor.from_sddl(sddl, domain_sid) + return ndr_pack(sec) + def get_domain_descriptor(domain_sid): sddl= "O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif index cb5a251..1d818ef 100644 --- a/source4/setup/provision_configuration.ldif +++ b/source4/setup/provision_configuration.ldif @@ -1195,6 +1195,7 @@ dn: CN=Sites,${CONFIGDN} objectClass: top objectClass: sitesContainer systemFlags: -2113929216 +ntSecurityDescriptor:: ${SITES_DESCRIPTOR} dn: CN=${DEFAULTSITE},CN=Sites,${CONFIGDN} objectClass: top -- 1.7.9.5 From ebb0a88722d416ad470497fd6ffa7b26abfe58bc Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 10 Dec 2012 11:32:07 +0100 Subject: [PATCH 06/10] s4:provision: set the correct nTSecurityDescriptor on CN=Infrastructure,... (bug #9481) Signed-off-by: Stefan Metzmacher Reviewed-by: Michael Adam --- .../scripting/python/samba/provision/__init__.py | 7 +++++-- .../scripting/python/samba/provision/descriptor.py | 9 +++++++++ source4/setup/provision.ldif | 1 + 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index 5e80d63..74288c1 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -81,7 +81,8 @@ from samba.provision.descriptor import ( get_config_descriptor, get_config_partitions_descriptor, get_config_sites_descriptor, - get_domain_descriptor + get_domain_descriptor, + get_domain_infrastructure_descriptor, ) from samba.provision.common import ( setup_path, @@ -1296,6 +1297,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, setup_path("provision_computers_modify.ldif"), { "DOMAINDN": names.domaindn}) logger.info("Setting up sam.ldb data") + infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(domainsid)) setup_add_ldif(samdb, setup_path("provision.ldif"), { "CREATTIME": str(samba.unix2nttime(int(time.time()))), "DOMAINDN": names.domaindn, @@ -1304,7 +1306,8 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, "CONFIGDN": names.configdn, "SERVERDN": names.serverdn, "RIDAVAILABLESTART": str(next_rid + 600), - "POLICYGUID_DC": policyguid_dc + "POLICYGUID_DC": policyguid_dc, + "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc, }) # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py index 2deb550..db38e19 100644 --- a/source4/scripting/python/samba/provision/descriptor.py +++ b/source4/scripting/python/samba/provision/descriptor.py @@ -143,6 +143,15 @@ def get_domain_descriptor(domain_sid): sec = security.descriptor.from_sddl(sddl, domain_sid) return ndr_pack(sec) +def get_domain_infrastructure_descriptor(domain_sid): + sddl = "D:" \ + "(A;;RPLCLORC;;;AU)" \ + "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \ + "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ + "S:" \ + "(AU;SA;WPCR;;;WD)" + sec = security.descriptor.from_sddl(sddl, domain_sid) + return ndr_pack(sec) def get_dns_partition_descriptor(domainsid): sddl = "O:SYG:BAD:AI" \ diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif index 2db01f9..0dcb7d4 100644 --- a/source4/setup/provision.ldif +++ b/source4/setup/provision.ldif @@ -63,6 +63,7 @@ objectClass: top objectClass: infrastructureUpdate systemFlags: -1946157056 isCriticalSystemObject: TRUE +nTSecurityDescriptor:: ${INFRASTRUCTURE_DESCRIPTOR} dn: CN=LostAndFound,${DOMAINDN} objectClass: top -- 1.7.9.5 From e1301fef735b305736db0b6db335c37aa9fea832 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 10 Dec 2012 11:32:07 +0100 Subject: [PATCH 07/10] s4:provision: set the correct nTSecurityDescriptor on CN=Builtin,... (bug #9481) Signed-off-by: Stefan Metzmacher Reviewed-by: Michael Adam --- .../scripting/python/samba/provision/__init__.py | 3 ++ .../scripting/python/samba/provision/descriptor.py | 57 ++++++++++++++++++++ source4/setup/provision.ldif | 1 + 3 files changed, 61 insertions(+) diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index 74288c1..a081cea 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -83,6 +83,7 @@ from samba.provision.descriptor import ( get_config_sites_descriptor, get_domain_descriptor, get_domain_infrastructure_descriptor, + get_domain_builtin_descriptor, ) from samba.provision.common import ( setup_path, @@ -1298,6 +1299,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, "DOMAINDN": names.domaindn}) logger.info("Setting up sam.ldb data") infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(domainsid)) + builtin_desc = b64encode(get_domain_builtin_descriptor(domainsid)) setup_add_ldif(samdb, setup_path("provision.ldif"), { "CREATTIME": str(samba.unix2nttime(int(time.time()))), "DOMAINDN": names.domaindn, @@ -1308,6 +1310,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, "RIDAVAILABLESTART": str(next_rid + 600), "POLICYGUID_DC": policyguid_dc, "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc, + "BUILTIN_DESCRIPTOR": builtin_desc, }) # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py index db38e19..d37e2cd 100644 --- a/source4/scripting/python/samba/provision/descriptor.py +++ b/source4/scripting/python/samba/provision/descriptor.py @@ -153,6 +153,63 @@ def get_domain_infrastructure_descriptor(domain_sid): sec = security.descriptor.from_sddl(sddl, domain_sid) return ndr_pack(sec) +def get_domain_builtin_descriptor(domain_sid): + sddl = "D:" \ + "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ + "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ + "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ + "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ + "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ + "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ + "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ + "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ + "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ + "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ + "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \ + "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)" \ + "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)" \ + "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)" \ + "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)" \ + "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \ + "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ + "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ + "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ + "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ + "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ + "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;IF)" \ + "(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)" \ + "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)" \ + "(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ + "(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)" \ + "(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ + "(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)" \ + "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \ + "(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)" \ + "(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)" \ + "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ + "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ + "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ + "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ + "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)" \ + "(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)" \ + "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \ + "(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \ + "(A;;RPRC;;;RU)" \ + "(A;CI;LC;;;RU)" \ + "(A;CI;RPWPCRCCLCLORCWOWDSDSW;;;BA)" \ + "(A;;RP;;;WD)" \ + "(A;;RPLCLORC;;;ED)" \ + "(A;;RPLCLORC;;;AU)" \ + "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ + "S:" \ + "(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \ + "(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \ + "(AU;SA;CR;;;DU)" \ + "(AU;SA;CR;;;BA)" \ + "(AU;SA;WPWOWD;;;WD)" + sec = security.descriptor.from_sddl(sddl, domain_sid) + return ndr_pack(sec) + def get_dns_partition_descriptor(domainsid): sddl = "O:SYG:BAD:AI" \ "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif index 0dcb7d4..5d20189 100644 --- a/source4/setup/provision.ldif +++ b/source4/setup/provision.ldif @@ -24,6 +24,7 @@ serverState: 1 showInAdvancedViewOnly: FALSE systemFlags: -1946157056 uASCompat: 1 +nTSecurityDescriptor:: ${BUILTIN_DESCRIPTOR} dn: CN=Deleted Objects,${DOMAINDN} objectClass: top -- 1.7.9.5 From 19b03834f08c2a6645a31fe18121534c692c18d1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 10 Dec 2012 11:32:07 +0100 Subject: [PATCH 08/10] s4:provision: set the correct nTSecurityDescriptor on CN=Computers,... (bug #9481) Signed-off-by: Stefan Metzmacher Reviewed-by: Michael Adam --- .../scripting/python/samba/provision/__init__.py | 6 +++++- .../scripting/python/samba/provision/descriptor.py | 14 ++++++++++++++ source4/setup/provision_computers_add.ldif | 1 + 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index a081cea..52dacde 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -84,6 +84,7 @@ from samba.provision.descriptor import ( get_domain_descriptor, get_domain_infrastructure_descriptor, get_domain_builtin_descriptor, + get_domain_computers_descriptor, ) from samba.provision.common import ( setup_path, @@ -1291,8 +1292,11 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, setup_modify_ldif(samdb, setup_path("provision_users_modify.ldif"), { "DOMAINDN": names.domaindn}) logger.info("Adding computers container") + computers_desc = b64encode(get_domain_computers_descriptor(domainsid)) setup_add_ldif(samdb, setup_path("provision_computers_add.ldif"), { - "DOMAINDN": names.domaindn}) + "DOMAINDN": names.domaindn, + "COMPUTERS_DESCRIPTOR": computers_desc + }) logger.info("Modifying computers container") setup_modify_ldif(samdb, setup_path("provision_computers_modify.ldif"), { diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py index d37e2cd..8d71969 100644 --- a/source4/scripting/python/samba/provision/descriptor.py +++ b/source4/scripting/python/samba/provision/descriptor.py @@ -210,6 +210,20 @@ def get_domain_builtin_descriptor(domain_sid): sec = security.descriptor.from_sddl(sddl, domain_sid) return ndr_pack(sec) +def get_domain_computers_descriptor(domain_sid): + sddl = "D:" \ + "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ + "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \ + "(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)" \ + "(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)" \ + "(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)" \ + "(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)" \ + "(A;;RPLCLORC;;;AU)" \ + "(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)" \ + "S:" + sec = security.descriptor.from_sddl(sddl, domain_sid) + return ndr_pack(sec) + def get_dns_partition_descriptor(domainsid): sddl = "O:SYG:BAD:AI" \ "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ diff --git a/source4/setup/provision_computers_add.ldif b/source4/setup/provision_computers_add.ldif index 6db3f41..45e2aa4 100644 --- a/source4/setup/provision_computers_add.ldif +++ b/source4/setup/provision_computers_add.ldif @@ -1,3 +1,4 @@ dn: CN=Computers,${DOMAINDN} objectClass: top objectClass: container +nTSecurityDescriptor:: ${COMPUTERS_DESCRIPTOR} -- 1.7.9.5 From 8eb359c23c6379be1ccc32e27fd2316d77a7c7b3 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 11 Dec 2012 03:15:26 +0100 Subject: [PATCH 09/10] s4:provision: set the correct nTSecurityDescriptor on CN=Users,... (bug #9481) Signed-off-by: Stefan Metzmacher Reviewed-by: Michael Adam --- .../scripting/python/samba/provision/__init__.py | 6 +++++- .../scripting/python/samba/provision/descriptor.py | 13 +++++++++++++ source4/setup/provision_users_add.ldif | 1 + 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index 52dacde..c5a8b39 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -85,6 +85,7 @@ from samba.provision.descriptor import ( get_domain_infrastructure_descriptor, get_domain_builtin_descriptor, get_domain_computers_descriptor, + get_domain_users_descriptor, ) from samba.provision.common import ( setup_path, @@ -1286,8 +1287,11 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, samdb.add_ldif(display_specifiers_ldif) logger.info("Adding users container") + users_desc = b64encode(get_domain_users_descriptor(domainsid)) setup_add_ldif(samdb, setup_path("provision_users_add.ldif"), { - "DOMAINDN": names.domaindn}) + "DOMAINDN": names.domaindn, + "USERS_DESCRIPTOR": users_desc + }) logger.info("Modifying users container") setup_modify_ldif(samdb, setup_path("provision_users_modify.ldif"), { "DOMAINDN": names.domaindn}) diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py index 8d71969..2a98168 100644 --- a/source4/scripting/python/samba/provision/descriptor.py +++ b/source4/scripting/python/samba/provision/descriptor.py @@ -224,6 +224,19 @@ def get_domain_computers_descriptor(domain_sid): sec = security.descriptor.from_sddl(sddl, domain_sid) return ndr_pack(sec) +def get_domain_users_descriptor(domain_sid): + sddl = "D:" \ + "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ + "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \ + "(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)" \ + "(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)" \ + "(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)" \ + "(A;;RPLCLORC;;;AU)" \ + "(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)" \ + "S:" + sec = security.descriptor.from_sddl(sddl, domain_sid) + return ndr_pack(sec) + def get_dns_partition_descriptor(domainsid): sddl = "O:SYG:BAD:AI" \ "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ diff --git a/source4/setup/provision_users_add.ldif b/source4/setup/provision_users_add.ldif index db075d9..d5f76ed 100644 --- a/source4/setup/provision_users_add.ldif +++ b/source4/setup/provision_users_add.ldif @@ -1,3 +1,4 @@ dn: CN=Users,${DOMAINDN} objectClass: top objectClass: container +nTSecurityDescriptor:: ${USERS_DESCRIPTOR} -- 1.7.9.5 From b2086c8790e7d03bb9ef66c8dfe5731d1ca63b3b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 11 Dec 2012 03:15:26 +0100 Subject: [PATCH 10/10] s4:provision: set the correct nTSecurityDescriptor on CN=Domain Controllers,... (bug #9481) Signed-off-by: Stefan Metzmacher Reviewed-by: Michael Adam --- .../scripting/python/samba/provision/__init__.py | 3 +++ .../scripting/python/samba/provision/descriptor.py | 12 ++++++++++++ source4/setup/provision.ldif | 1 + 3 files changed, 16 insertions(+) diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index c5a8b39..e6ea855 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -86,6 +86,7 @@ from samba.provision.descriptor import ( get_domain_builtin_descriptor, get_domain_computers_descriptor, get_domain_users_descriptor, + get_domain_controllers_descriptor ) from samba.provision.common import ( setup_path, @@ -1308,6 +1309,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, logger.info("Setting up sam.ldb data") infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(domainsid)) builtin_desc = b64encode(get_domain_builtin_descriptor(domainsid)) + controllers_desc = b64encode(get_domain_controllers_descriptor(domainsid)) setup_add_ldif(samdb, setup_path("provision.ldif"), { "CREATTIME": str(samba.unix2nttime(int(time.time()))), "DOMAINDN": names.domaindn, @@ -1319,6 +1321,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, "POLICYGUID_DC": policyguid_dc, "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc, "BUILTIN_DESCRIPTOR": builtin_desc, + "DOMAIN_CONTROLLERS_DESCRIPTOR": controllers_desc, }) # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py index 2a98168..adf7579 100644 --- a/source4/scripting/python/samba/provision/descriptor.py +++ b/source4/scripting/python/samba/provision/descriptor.py @@ -237,6 +237,18 @@ def get_domain_users_descriptor(domain_sid): sec = security.descriptor.from_sddl(sddl, domain_sid) return ndr_pack(sec) +def get_domain_controllers_descriptor(domain_sid): + sddl = "D:" \ + "(A;;RPLCLORC;;;AU)" \ + "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \ + "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ + "(A;;RPLCLORC;;;ED)" \ + "S:" \ + "(AU;SA;CCDCWOWDSDDT;;;WD)" \ + "(AU;CISA;WP;;;WD)" + sec = security.descriptor.from_sddl(sddl, domain_sid) + return ndr_pack(sec) + def get_dns_partition_descriptor(domainsid): sddl = "O:SYG:BAD:AI" \ "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif index 5d20189..51e56ff 100644 --- a/source4/setup/provision.ldif +++ b/source4/setup/provision.ldif @@ -46,6 +46,7 @@ systemFlags: -1946157056 isCriticalSystemObject: TRUE showInAdvancedViewOnly: FALSE gPLink: [LDAP://CN={${POLICYGUID_DC}},CN=Policies,CN=System,${DOMAINDN};0] +nTSecurityDescriptor:: ${DOMAIN_CONTROLLERS_DESCRIPTOR} # Joined DC located in "provision_self_join.ldif" -- 1.7.9.5