The Samba-Bugzilla – Attachment 8337 Details for
Bug 9481
ACL on cn=partitions,cn=configuration is incorrect
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-0-test
tmp40.diff (text/plain), 33.11 KB, created by
Stefan Metzmacher
on 2012-12-11 06:10:53 UTC
(
hide
)
Description:
Patches for v4-0-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2012-12-11 06:10:53 UTC
Size:
33.11 KB
patch
obsolete
>From ed08b308afe7846a6db5f5b62e21877514e5016e Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 11 Dec 2012 02:00:38 +0100 >Subject: [PATCH 01/10] libcli/security: implement object_in_list() > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >(cherry picked from commit 75729e6703c5b5dff7feefed590086898fc03c74) >--- > libcli/security/create_descriptor.c | 25 +++++++++++++++++++++++-- > 1 file changed, 23 insertions(+), 2 deletions(-) > >diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c >index 0cac2e4..1456d84 100644 >--- a/libcli/security/create_descriptor.c >+++ b/libcli/security/create_descriptor.c >@@ -80,9 +80,30 @@ uint32_t map_generic_rights_ds(uint32_t access_mask) > * and it does not seem to have any influence */ > static bool object_in_list(struct GUID *object_list, struct GUID *object) > { >- return true; >+ size_t i; >+ >+ if (object_list == NULL) { >+ return true; >+ } >+ >+ if (GUID_all_zero(object)) { >+ return true; >+ } >+ >+ for (i=0; ; i++) { >+ if (GUID_all_zero(&object_list[i])) { >+ return false; >+ } >+ if (!GUID_equal(&object_list[i], object)) { >+ continue; >+ } >+ >+ return true; >+ } >+ >+ return false; > } >- >+ > /* returns true if the ACE gontains generic information > * that needs to be processed additionally */ > >-- >1.7.9.5 > > >From c4c05bd0aefcf9cbd2b55e6d9ea07fb74735e16a Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 11 Dec 2012 03:17:42 +0100 >Subject: [PATCH 02/10] libcli/security: calculate the correct > inherited_object GUID > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >(cherry picked from commit d20c46a520a7e39dd87476cd81edab56b5543892) >--- > libcli/security/create_descriptor.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > >diff --git a/libcli/security/create_descriptor.c b/libcli/security/create_descriptor.c >index 1456d84..42ca1a7 100644 >--- a/libcli/security/create_descriptor.c >+++ b/libcli/security/create_descriptor.c >@@ -186,7 +186,13 @@ static struct security_acl *calculate_inherited_from_parent(TALLOC_CTX *mem_ctx, > > if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT || > ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) { >- if (!object_in_list(object_list, &ace->object.object.type.type)) { >+ struct GUID inherited_object = GUID_zero(); >+ >+ if (ace->object.object.flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT) { >+ inherited_object = ace->object.object.inherited_type.inherited_type; >+ } >+ >+ if (!object_in_list(object_list, &inherited_object)) { > tmp_acl->aces[tmp_acl->num_aces].flags |= SEC_ACE_FLAG_INHERIT_ONLY; > } > >-- >1.7.9.5 > > >From b910d0fa17f35e8d09d0bb269b5f813aee836c5f Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 11 Dec 2012 02:01:12 +0100 >Subject: [PATCH 03/10] s4:dsdb/descriptor: pass object_list to > create_security_descriptor() > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >(cherry picked from commit a97b5f219678e409a851d9caf8317a6ef130c12f) >--- > source4/dsdb/samdb/ldb_modules/descriptor.c | 15 +++++++++++++-- > 1 file changed, 13 insertions(+), 2 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c >index 192c745..fb100f7 100644 >--- a/source4/dsdb/samdb/ldb_modules/descriptor.c >+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c >@@ -249,9 +249,15 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module, > struct dom_sid *default_owner; > struct dom_sid *default_group; > struct security_descriptor *default_descriptor = NULL; >+ struct GUID *object_list = NULL; > > if (objectclass != NULL) { > default_descriptor = get_sd_unpacked(module, mem_ctx, objectclass); >+ object_list = talloc_zero_array(mem_ctx, struct GUID, 2); >+ if (object_list == NULL) { >+ return NULL; >+ } >+ object_list[0] = objectclass->schemaIDGUID; > } > > if (object) { >@@ -370,8 +376,13 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module, > default_owner = get_default_ag(mem_ctx, dn, > session_info->security_token, ldb); > default_group = get_default_group(mem_ctx, ldb, default_owner); >- new_sd = create_security_descriptor(mem_ctx, parent_descriptor, user_descriptor, true, >- NULL, SEC_DACL_AUTO_INHERIT|SEC_SACL_AUTO_INHERIT, >+ new_sd = create_security_descriptor(mem_ctx, >+ parent_descriptor, >+ user_descriptor, >+ true, >+ object_list, >+ SEC_DACL_AUTO_INHERIT | >+ SEC_SACL_AUTO_INHERIT, > session_info->security_token, > default_owner, default_group, > map_generic_rights_ds); >-- >1.7.9.5 > > >From bbffb6a78a69d30665db8a5d56147f06db7730e3 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 10 Dec 2012 11:32:07 +0100 >Subject: [PATCH 04/10] s4:provision: set the correct nTSecurityDescriptor on > CN=Partitions,CN=Configuration... (bug #9481) > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >(cherry picked from commit 649fb5b61492562f1400996a6ccf33af17af5b6b) >--- > .../scripting/python/samba/provision/__init__.py | 3 +++ > .../scripting/python/samba/provision/descriptor.py | 17 +++++++++++++++++ > source4/setup/provision_configuration.ldif | 1 + > 3 files changed, 21 insertions(+) > >diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py >index c3713c9..63b1bd0 100644 >--- a/source4/scripting/python/samba/provision/__init__.py >+++ b/source4/scripting/python/samba/provision/__init__.py >@@ -79,6 +79,7 @@ from samba.provision.backend import ( > from samba.provision.descriptor import ( > get_empty_descriptor, > get_config_descriptor, >+ get_config_partitions_descriptor, > get_domain_descriptor > ) > from samba.provision.common import ( >@@ -1255,6 +1256,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, > # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it > if fill == FILL_FULL: > logger.info("Setting up sam.ldb configuration data") >+ partitions_descr = b64encode(get_config_partitions_descriptor(domainsid)) > setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), { > "CONFIGDN": names.configdn, > "NETBIOSNAME": names.netbiosname, >@@ -1266,6 +1268,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, > "SERVERDN": names.serverdn, > "FOREST_FUNCTIONALITY": str(forestFunctionality), > "DOMAIN_FUNCTIONALITY": str(domainFunctionality), >+ "PARTITIONS_DESCRIPTOR": partitions_descr, > }) > > logger.info("Setting up display specifiers") >diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py >index 3bb2468..dd1f62f 100644 >--- a/source4/scripting/python/samba/provision/descriptor.py >+++ b/source4/scripting/python/samba/provision/descriptor.py >@@ -57,6 +57,23 @@ def get_config_descriptor(domain_sid): > sec = security.descriptor.from_sddl(sddl, domain_sid) > return ndr_pack(sec) > >+def get_config_partitions_descriptor(domain_sid): >+ sddl = "D:" \ >+ "(A;;LCLORC;;;AU)" \ >+ "(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)" \ >+ "(OA;;RP;d31a8757-2447-4545-8081-3bb610cacbf2;;AU)" \ >+ "(OA;;RP;66171887-8f3c-11d0-afda-00c04fd930c9;;AU)" \ >+ "(OA;;RP;032160bf-9824-11d1-aec0-0000f80367c1;;AU)" \ >+ "(OA;;RP;789ee1eb-8c8e-4e4c-8cec-79b31b7617b5;;AU)" \ >+ "(OA;;RP;5706aeaf-b940-4fb2-bcfc-5268683ad9fe;;AU)" \ >+ "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >+ "(A;;CC;;;ED)" \ >+ "(OA;CIIO;WP;3df793df-9858-4417-a701-735a1ecebf74;bf967a8d-0de6-11d0-a285-00aa003049e2;BA)" \ >+ "S:" \ >+ "(AU;CISA;WPCRCCDCWOWDSDDT;;;WD)" >+ sec = security.descriptor.from_sddl(sddl, domain_sid) >+ return ndr_pack(sec) > > def get_domain_descriptor(domain_sid): > sddl= "O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif >index 9fab2b5..cb5a251 100644 >--- a/source4/setup/provision_configuration.ldif >+++ b/source4/setup/provision_configuration.ldif >@@ -1018,6 +1018,7 @@ objectClass: crossRefContainer > systemFlags: -2147483648 > msDS-Behavior-Version: ${FOREST_FUNCTIONALITY} > showInAdvancedViewOnly: TRUE >+nTSecurityDescriptor:: ${PARTITIONS_DESCRIPTOR} > > # Partitions for DNS are missing here, they are added from provision_dnszones.ldif > >-- >1.7.9.5 > > >From ba4144d5e7710706f66e61d88ed7c9ec4bfe091e Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 10 Dec 2012 11:32:07 +0100 >Subject: [PATCH 05/10] s4:provision: set the correct nTSecurityDescriptor on > CN=Sites,CN=Configuration... (bug #9481) > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >(cherry picked from commit 999c068113af6158355634eb9a9c4b5a4d3066d8) >--- > .../scripting/python/samba/provision/__init__.py | 3 +++ > .../scripting/python/samba/provision/descriptor.py | 15 +++++++++++++++ > source4/setup/provision_configuration.ldif | 1 + > 3 files changed, 19 insertions(+) > >diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py >index 63b1bd0..5e80d63 100644 >--- a/source4/scripting/python/samba/provision/__init__.py >+++ b/source4/scripting/python/samba/provision/__init__.py >@@ -80,6 +80,7 @@ from samba.provision.descriptor import ( > get_empty_descriptor, > get_config_descriptor, > get_config_partitions_descriptor, >+ get_config_sites_descriptor, > get_domain_descriptor > ) > from samba.provision.common import ( >@@ -1257,6 +1258,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, > if fill == FILL_FULL: > logger.info("Setting up sam.ldb configuration data") > partitions_descr = b64encode(get_config_partitions_descriptor(domainsid)) >+ sites_descr = b64encode(get_config_sites_descriptor(domainsid)) > setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), { > "CONFIGDN": names.configdn, > "NETBIOSNAME": names.netbiosname, >@@ -1269,6 +1271,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, > "FOREST_FUNCTIONALITY": str(forestFunctionality), > "DOMAIN_FUNCTIONALITY": str(domainFunctionality), > "PARTITIONS_DESCRIPTOR": partitions_descr, >+ "SITES_DESCRIPTOR": sites_descr, > }) > > logger.info("Setting up display specifiers") >diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py >index dd1f62f..2deb550 100644 >--- a/source4/scripting/python/samba/provision/descriptor.py >+++ b/source4/scripting/python/samba/provision/descriptor.py >@@ -75,6 +75,21 @@ def get_config_partitions_descriptor(domain_sid): > sec = security.descriptor.from_sddl(sddl, domain_sid) > return ndr_pack(sec) > >+def get_config_sites_descriptor(domain_sid): >+ sddl = "D:" \ >+ "(A;;RPLCLORC;;;AU)" \ >+ "(OA;CIIO;SW;d31a8757-2447-4545-8081-3bb610cacbf2;f0f8ffab-1191-11d0-a060-00aa006c33ed;ER)" \ >+ "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >+ "S:" \ >+ "(AU;CISA;CCDCSDDT;;;WD)" \ >+ "(OU;CIIOSA;CR;;f0f8ffab-1191-11d0-a060-00aa006c33ed;WD)" \ >+ "(OU;CIIOSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)" \ >+ "(OU;CIIOSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)" \ >+ "(OU;CIIOSA;WP;3e10944c-c354-11d0-aff8-0000f80367c1;b7b13124-b82e-11d0-afee-0000f80367c1;WD)" >+ sec = security.descriptor.from_sddl(sddl, domain_sid) >+ return ndr_pack(sec) >+ > def get_domain_descriptor(domain_sid): > sddl= "O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ > "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif >index cb5a251..1d818ef 100644 >--- a/source4/setup/provision_configuration.ldif >+++ b/source4/setup/provision_configuration.ldif >@@ -1195,6 +1195,7 @@ dn: CN=Sites,${CONFIGDN} > objectClass: top > objectClass: sitesContainer > systemFlags: -2113929216 >+ntSecurityDescriptor:: ${SITES_DESCRIPTOR} > > dn: CN=${DEFAULTSITE},CN=Sites,${CONFIGDN} > objectClass: top >-- >1.7.9.5 > > >From 5d8c629a35c13e0248900552881e417cc1b2ffdc Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 10 Dec 2012 11:32:07 +0100 >Subject: [PATCH 06/10] s4:provision: set the correct nTSecurityDescriptor on > CN=Infrastructure,... (bug #9481) > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >(cherry picked from commit ebb0a88722d416ad470497fd6ffa7b26abfe58bc) >--- > .../scripting/python/samba/provision/__init__.py | 7 +++++-- > .../scripting/python/samba/provision/descriptor.py | 9 +++++++++ > source4/setup/provision.ldif | 1 + > 3 files changed, 15 insertions(+), 2 deletions(-) > >diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py >index 5e80d63..74288c1 100644 >--- a/source4/scripting/python/samba/provision/__init__.py >+++ b/source4/scripting/python/samba/provision/__init__.py >@@ -81,7 +81,8 @@ from samba.provision.descriptor import ( > get_config_descriptor, > get_config_partitions_descriptor, > get_config_sites_descriptor, >- get_domain_descriptor >+ get_domain_descriptor, >+ get_domain_infrastructure_descriptor, > ) > from samba.provision.common import ( > setup_path, >@@ -1296,6 +1297,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, > setup_path("provision_computers_modify.ldif"), { > "DOMAINDN": names.domaindn}) > logger.info("Setting up sam.ldb data") >+ infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(domainsid)) > setup_add_ldif(samdb, setup_path("provision.ldif"), { > "CREATTIME": str(samba.unix2nttime(int(time.time()))), > "DOMAINDN": names.domaindn, >@@ -1304,7 +1306,8 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, > "CONFIGDN": names.configdn, > "SERVERDN": names.serverdn, > "RIDAVAILABLESTART": str(next_rid + 600), >- "POLICYGUID_DC": policyguid_dc >+ "POLICYGUID_DC": policyguid_dc, >+ "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc, > }) > > # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it >diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py >index 2deb550..db38e19 100644 >--- a/source4/scripting/python/samba/provision/descriptor.py >+++ b/source4/scripting/python/samba/provision/descriptor.py >@@ -143,6 +143,15 @@ def get_domain_descriptor(domain_sid): > sec = security.descriptor.from_sddl(sddl, domain_sid) > return ndr_pack(sec) > >+def get_domain_infrastructure_descriptor(domain_sid): >+ sddl = "D:" \ >+ "(A;;RPLCLORC;;;AU)" \ >+ "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >+ "S:" \ >+ "(AU;SA;WPCR;;;WD)" >+ sec = security.descriptor.from_sddl(sddl, domain_sid) >+ return ndr_pack(sec) > > def get_dns_partition_descriptor(domainsid): > sddl = "O:SYG:BAD:AI" \ >diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif >index 2db01f9..0dcb7d4 100644 >--- a/source4/setup/provision.ldif >+++ b/source4/setup/provision.ldif >@@ -63,6 +63,7 @@ objectClass: top > objectClass: infrastructureUpdate > systemFlags: -1946157056 > isCriticalSystemObject: TRUE >+nTSecurityDescriptor:: ${INFRASTRUCTURE_DESCRIPTOR} > > dn: CN=LostAndFound,${DOMAINDN} > objectClass: top >-- >1.7.9.5 > > >From 5a43ae520a9498857658d764975d5251a02febae Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 10 Dec 2012 11:32:07 +0100 >Subject: [PATCH 07/10] s4:provision: set the correct nTSecurityDescriptor on > CN=Builtin,... (bug #9481) > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >(cherry picked from commit e1301fef735b305736db0b6db335c37aa9fea832) >--- > .../scripting/python/samba/provision/__init__.py | 3 ++ > .../scripting/python/samba/provision/descriptor.py | 57 ++++++++++++++++++++ > source4/setup/provision.ldif | 1 + > 3 files changed, 61 insertions(+) > >diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py >index 74288c1..a081cea 100644 >--- a/source4/scripting/python/samba/provision/__init__.py >+++ b/source4/scripting/python/samba/provision/__init__.py >@@ -83,6 +83,7 @@ from samba.provision.descriptor import ( > get_config_sites_descriptor, > get_domain_descriptor, > get_domain_infrastructure_descriptor, >+ get_domain_builtin_descriptor, > ) > from samba.provision.common import ( > setup_path, >@@ -1298,6 +1299,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, > "DOMAINDN": names.domaindn}) > logger.info("Setting up sam.ldb data") > infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(domainsid)) >+ builtin_desc = b64encode(get_domain_builtin_descriptor(domainsid)) > setup_add_ldif(samdb, setup_path("provision.ldif"), { > "CREATTIME": str(samba.unix2nttime(int(time.time()))), > "DOMAINDN": names.domaindn, >@@ -1308,6 +1310,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, > "RIDAVAILABLESTART": str(next_rid + 600), > "POLICYGUID_DC": policyguid_dc, > "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc, >+ "BUILTIN_DESCRIPTOR": builtin_desc, > }) > > # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it >diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py >index db38e19..d37e2cd 100644 >--- a/source4/scripting/python/samba/provision/descriptor.py >+++ b/source4/scripting/python/samba/provision/descriptor.py >@@ -153,6 +153,63 @@ def get_domain_infrastructure_descriptor(domain_sid): > sec = security.descriptor.from_sddl(sddl, domain_sid) > return ndr_pack(sec) > >+def get_domain_builtin_descriptor(domain_sid): >+ sddl = "D:" \ >+ "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \ >+ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)" \ >+ "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)" \ >+ "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)" \ >+ "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)" \ >+ "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \ >+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ >+ "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;IF)" \ >+ "(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)" \ >+ "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)" \ >+ "(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >+ "(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ >+ "(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)" \ >+ "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \ >+ "(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)" \ >+ "(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)" \ >+ "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >+ "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >+ "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >+ "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ >+ "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)" \ >+ "(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)" \ >+ "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \ >+ "(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \ >+ "(A;;RPRC;;;RU)" \ >+ "(A;CI;LC;;;RU)" \ >+ "(A;CI;RPWPCRCCLCLORCWOWDSDSW;;;BA)" \ >+ "(A;;RP;;;WD)" \ >+ "(A;;RPLCLORC;;;ED)" \ >+ "(A;;RPLCLORC;;;AU)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >+ "S:" \ >+ "(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \ >+ "(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \ >+ "(AU;SA;CR;;;DU)" \ >+ "(AU;SA;CR;;;BA)" \ >+ "(AU;SA;WPWOWD;;;WD)" >+ sec = security.descriptor.from_sddl(sddl, domain_sid) >+ return ndr_pack(sec) >+ > def get_dns_partition_descriptor(domainsid): > sddl = "O:SYG:BAD:AI" \ > "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif >index 0dcb7d4..5d20189 100644 >--- a/source4/setup/provision.ldif >+++ b/source4/setup/provision.ldif >@@ -24,6 +24,7 @@ serverState: 1 > showInAdvancedViewOnly: FALSE > systemFlags: -1946157056 > uASCompat: 1 >+nTSecurityDescriptor:: ${BUILTIN_DESCRIPTOR} > > dn: CN=Deleted Objects,${DOMAINDN} > objectClass: top >-- >1.7.9.5 > > >From 763be1ab9106af5236bbe29e9303ba1ca79f9f4c Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 10 Dec 2012 11:32:07 +0100 >Subject: [PATCH 08/10] s4:provision: set the correct nTSecurityDescriptor on > CN=Computers,... (bug #9481) > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >(cherry picked from commit 19b03834f08c2a6645a31fe18121534c692c18d1) >--- > .../scripting/python/samba/provision/__init__.py | 6 +++++- > .../scripting/python/samba/provision/descriptor.py | 14 ++++++++++++++ > source4/setup/provision_computers_add.ldif | 1 + > 3 files changed, 20 insertions(+), 1 deletion(-) > >diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py >index a081cea..52dacde 100644 >--- a/source4/scripting/python/samba/provision/__init__.py >+++ b/source4/scripting/python/samba/provision/__init__.py >@@ -84,6 +84,7 @@ from samba.provision.descriptor import ( > get_domain_descriptor, > get_domain_infrastructure_descriptor, > get_domain_builtin_descriptor, >+ get_domain_computers_descriptor, > ) > from samba.provision.common import ( > setup_path, >@@ -1291,8 +1292,11 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, > setup_modify_ldif(samdb, setup_path("provision_users_modify.ldif"), { > "DOMAINDN": names.domaindn}) > logger.info("Adding computers container") >+ computers_desc = b64encode(get_domain_computers_descriptor(domainsid)) > setup_add_ldif(samdb, setup_path("provision_computers_add.ldif"), { >- "DOMAINDN": names.domaindn}) >+ "DOMAINDN": names.domaindn, >+ "COMPUTERS_DESCRIPTOR": computers_desc >+ }) > logger.info("Modifying computers container") > setup_modify_ldif(samdb, > setup_path("provision_computers_modify.ldif"), { >diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py >index d37e2cd..8d71969 100644 >--- a/source4/scripting/python/samba/provision/descriptor.py >+++ b/source4/scripting/python/samba/provision/descriptor.py >@@ -210,6 +210,20 @@ def get_domain_builtin_descriptor(domain_sid): > sec = security.descriptor.from_sddl(sddl, domain_sid) > return ndr_pack(sec) > >+def get_domain_computers_descriptor(domain_sid): >+ sddl = "D:" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \ >+ "(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)" \ >+ "(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)" \ >+ "(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)" \ >+ "(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)" \ >+ "(A;;RPLCLORC;;;AU)" \ >+ "(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)" \ >+ "S:" >+ sec = security.descriptor.from_sddl(sddl, domain_sid) >+ return ndr_pack(sec) >+ > def get_dns_partition_descriptor(domainsid): > sddl = "O:SYG:BAD:AI" \ > "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >diff --git a/source4/setup/provision_computers_add.ldif b/source4/setup/provision_computers_add.ldif >index 6db3f41..45e2aa4 100644 >--- a/source4/setup/provision_computers_add.ldif >+++ b/source4/setup/provision_computers_add.ldif >@@ -1,3 +1,4 @@ > dn: CN=Computers,${DOMAINDN} > objectClass: top > objectClass: container >+nTSecurityDescriptor:: ${COMPUTERS_DESCRIPTOR} >-- >1.7.9.5 > > >From 8b7b099c180e1d1f226dc0e827643f0cb31072a4 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 11 Dec 2012 03:15:26 +0100 >Subject: [PATCH 09/10] s4:provision: set the correct nTSecurityDescriptor on > CN=Users,... (bug #9481) > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >(cherry picked from commit 8eb359c23c6379be1ccc32e27fd2316d77a7c7b3) >--- > .../scripting/python/samba/provision/__init__.py | 6 +++++- > .../scripting/python/samba/provision/descriptor.py | 13 +++++++++++++ > source4/setup/provision_users_add.ldif | 1 + > 3 files changed, 19 insertions(+), 1 deletion(-) > >diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py >index 52dacde..c5a8b39 100644 >--- a/source4/scripting/python/samba/provision/__init__.py >+++ b/source4/scripting/python/samba/provision/__init__.py >@@ -85,6 +85,7 @@ from samba.provision.descriptor import ( > get_domain_infrastructure_descriptor, > get_domain_builtin_descriptor, > get_domain_computers_descriptor, >+ get_domain_users_descriptor, > ) > from samba.provision.common import ( > setup_path, >@@ -1286,8 +1287,11 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, > samdb.add_ldif(display_specifiers_ldif) > > logger.info("Adding users container") >+ users_desc = b64encode(get_domain_users_descriptor(domainsid)) > setup_add_ldif(samdb, setup_path("provision_users_add.ldif"), { >- "DOMAINDN": names.domaindn}) >+ "DOMAINDN": names.domaindn, >+ "USERS_DESCRIPTOR": users_desc >+ }) > logger.info("Modifying users container") > setup_modify_ldif(samdb, setup_path("provision_users_modify.ldif"), { > "DOMAINDN": names.domaindn}) >diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py >index 8d71969..2a98168 100644 >--- a/source4/scripting/python/samba/provision/descriptor.py >+++ b/source4/scripting/python/samba/provision/descriptor.py >@@ -224,6 +224,19 @@ def get_domain_computers_descriptor(domain_sid): > sec = security.descriptor.from_sddl(sddl, domain_sid) > return ndr_pack(sec) > >+def get_domain_users_descriptor(domain_sid): >+ sddl = "D:" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \ >+ "(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)" \ >+ "(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)" \ >+ "(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)" \ >+ "(A;;RPLCLORC;;;AU)" \ >+ "(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)" \ >+ "S:" >+ sec = security.descriptor.from_sddl(sddl, domain_sid) >+ return ndr_pack(sec) >+ > def get_dns_partition_descriptor(domainsid): > sddl = "O:SYG:BAD:AI" \ > "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >diff --git a/source4/setup/provision_users_add.ldif b/source4/setup/provision_users_add.ldif >index db075d9..d5f76ed 100644 >--- a/source4/setup/provision_users_add.ldif >+++ b/source4/setup/provision_users_add.ldif >@@ -1,3 +1,4 @@ > dn: CN=Users,${DOMAINDN} > objectClass: top > objectClass: container >+nTSecurityDescriptor:: ${USERS_DESCRIPTOR} >-- >1.7.9.5 > > >From 09f13af434857b8e98961796e9a8d2e4793a1a14 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 11 Dec 2012 03:15:26 +0100 >Subject: [PATCH 10/10] s4:provision: set the correct nTSecurityDescriptor on > CN=Domain Controllers,... (bug #9481) > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> > >Autobuild-User(master): Michael Adam <obnox@samba.org> >Autobuild-Date(master): Tue Dec 11 07:05:39 CET 2012 on sn-devel-104 >(cherry picked from commit 914a61d9e5b7a182592f3afe60f4dad1cd342fc4) >--- > .../scripting/python/samba/provision/__init__.py | 3 +++ > .../scripting/python/samba/provision/descriptor.py | 12 ++++++++++++ > source4/setup/provision.ldif | 1 + > 3 files changed, 16 insertions(+) > >diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py >index c5a8b39..e6ea855 100644 >--- a/source4/scripting/python/samba/provision/__init__.py >+++ b/source4/scripting/python/samba/provision/__init__.py >@@ -86,6 +86,7 @@ from samba.provision.descriptor import ( > get_domain_builtin_descriptor, > get_domain_computers_descriptor, > get_domain_users_descriptor, >+ get_domain_controllers_descriptor > ) > from samba.provision.common import ( > setup_path, >@@ -1308,6 +1309,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, > logger.info("Setting up sam.ldb data") > infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(domainsid)) > builtin_desc = b64encode(get_domain_builtin_descriptor(domainsid)) >+ controllers_desc = b64encode(get_domain_controllers_descriptor(domainsid)) > setup_add_ldif(samdb, setup_path("provision.ldif"), { > "CREATTIME": str(samba.unix2nttime(int(time.time()))), > "DOMAINDN": names.domaindn, >@@ -1319,6 +1321,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, > "POLICYGUID_DC": policyguid_dc, > "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc, > "BUILTIN_DESCRIPTOR": builtin_desc, >+ "DOMAIN_CONTROLLERS_DESCRIPTOR": controllers_desc, > }) > > # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it >diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py >index 2a98168..adf7579 100644 >--- a/source4/scripting/python/samba/provision/descriptor.py >+++ b/source4/scripting/python/samba/provision/descriptor.py >@@ -237,6 +237,18 @@ def get_domain_users_descriptor(domain_sid): > sec = security.descriptor.from_sddl(sddl, domain_sid) > return ndr_pack(sec) > >+def get_domain_controllers_descriptor(domain_sid): >+ sddl = "D:" \ >+ "(A;;RPLCLORC;;;AU)" \ >+ "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \ >+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ >+ "(A;;RPLCLORC;;;ED)" \ >+ "S:" \ >+ "(AU;SA;CCDCWOWDSDDT;;;WD)" \ >+ "(AU;CISA;WP;;;WD)" >+ sec = security.descriptor.from_sddl(sddl, domain_sid) >+ return ndr_pack(sec) >+ > def get_dns_partition_descriptor(domainsid): > sddl = "O:SYG:BAD:AI" \ > "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ >diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif >index 5d20189..51e56ff 100644 >--- a/source4/setup/provision.ldif >+++ b/source4/setup/provision.ldif >@@ -46,6 +46,7 @@ systemFlags: -1946157056 > isCriticalSystemObject: TRUE > showInAdvancedViewOnly: FALSE > gPLink: [LDAP://CN={${POLICYGUID_DC}},CN=Policies,CN=System,${DOMAINDN};0] >+nTSecurityDescriptor:: ${DOMAIN_CONTROLLERS_DESCRIPTOR} > > # Joined DC located in "provision_self_join.ldif" > >-- >1.7.9.5 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
obnox
:
review+
metze
:
review+
Actions:
View
Attachments on
bug 9481
:
8308
|
8309
|
8310
|
8311
|
8316
|
8317
|
8336
| 8337 |
8498