From 64f324d9ba949590e5ff008ec1af2ad84dcb3f59 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 20 Mar 2013 14:12:26 +1100
Subject: [PATCH 01/12] scripting: Move the list of well known SDs to
 samba.provision.descriptor

This will allow us to call this from dbcheck.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 3da89b01faebba669434b07db344c203a4521ca2)
---
 python/samba/provision/descriptor.py         | 58 ++++++++++++++++++++++
 source4/scripting/bin/samba_upgradeprovision | 73 +---------------------------
 2 files changed, 60 insertions(+), 71 deletions(-)

diff --git a/python/samba/provision/descriptor.py b/python/samba/provision/descriptor.py
index 32e91ed..df541c2 100644
--- a/python/samba/provision/descriptor.py
+++ b/python/samba/provision/descriptor.py
@@ -28,6 +28,7 @@
 
 from samba.dcerpc import security
 from samba.ndr import ndr_pack
+from samba.schema import get_schema_descriptor
 
 # Descriptors of naming contexts and other important objects
 
@@ -357,3 +358,60 @@ def get_dns_domain_microsoft_dns_descriptor(domain_sid, name_map={}):
     "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
     "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)"
     return sddl2binary(sddl, domain_sid, name_map)
+
+def get_wellknown_sds(names):
+
+    # Then subcontainers
+    subcontainers = [
+        ("%s" % str(names.domaindn), get_domain_descriptor),
+        ("CN=LostAndFound,%s" % str(names.domaindn), get_domain_delete_protected2_descriptor),
+        ("CN=System,%s" % str(names.domaindn), get_domain_delete_protected1_descriptor),
+        ("CN=Infrastructure,%s" % str(names.domaindn), get_domain_infrastructure_descriptor),
+        ("CN=Builtin,%s" % str(names.domaindn), get_domain_builtin_descriptor),
+        ("CN=Computers,%s" % str(names.domaindn), get_domain_computers_descriptor),
+        ("CN=Users,%s" % str(names.domaindn), get_domain_users_descriptor),
+        ("OU=Domain Controllers,%s" % str(names.domaindn), get_domain_controllers_descriptor),
+        ("CN=MicrosoftDNS,CN=System,%s" % str(names.domaindn), get_dns_domain_microsoft_dns_descriptor),
+
+        ("%s" % str(names.configdn), get_config_descriptor),
+        ("CN=NTDS Quotas,%s" % str(names.configdn), get_config_ntds_quotas_descriptor),
+        ("CN=LostAndFoundConfig,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor),
+        ("CN=Services,%s" % str(names.configdn), get_config_delete_protected1_descriptor),
+        ("CN=Physical Locations,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor),
+        ("CN=WellKnown Security Principals,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor),
+        ("CN=ForestUpdates,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor),
+        ("CN=DisplaySpecifiers,%s" % str(names.configdn), get_config_delete_protected2_descriptor),
+        ("CN=Extended-Rights,%s" % str(names.configdn), get_config_delete_protected2_descriptor),
+        ("CN=Partitions,%s" % str(names.configdn), get_config_partitions_descriptor),
+        ("CN=Sites,%s" % str(names.configdn), get_config_sites_descriptor),
+
+        ("%s" % str(names.schemadn), get_schema_descriptor),
+    ]
+
+    if names.dnsforestdn is not None:
+        c = ("%s" % str(names.dnsforestdn), get_dns_partition_descriptor)
+        subcontainers.append(c)
+        c = ("CN=Infrastructure,%s" % str(names.dnsforestdn),
+             get_domain_delete_protected1_descriptor)
+        subcontainers.append(c)
+        c = ("CN=LostAndFound,%s" % str(names.dnsforestdn),
+             get_domain_delete_protected2_descriptor)
+        subcontainers.append(c)
+        c = ("CN=MicrosoftDNS,%s" % str(names.dnsforestdn),
+             get_dns_forest_microsoft_dns_descriptor)
+        subcontainers.append(c)
+
+    if names.dnsdomaindn is not None:
+        c = ("%s" % str(names.dnsdomaindn), get_dns_partition_descriptor)
+        subcontainers.append(c)
+        c = ("CN=Infrastructure,%s" % str(names.dnsdomaindn),
+             get_domain_delete_protected1_descriptor)
+        subcontainers.append(c)
+        c = ("CN=LostAndFound,%s" % str(names.dnsdomaindn),
+             get_domain_delete_protected2_descriptor)
+        subcontainers.append(c)
+        c = ("CN=MicrosoftDNS,%s" % str(names.dnsdomaindn),
+             get_dns_domain_microsoft_dns_descriptor)
+        subcontainers.append(c)
+
+    return subcontainers
diff --git a/source4/scripting/bin/samba_upgradeprovision b/source4/scripting/bin/samba_upgradeprovision
index 8e7d792..0ca70b5 100755
--- a/source4/scripting/bin/samba_upgradeprovision
+++ b/source4/scripting/bin/samba_upgradeprovision
@@ -46,26 +46,8 @@ from ldb import (SCOPE_SUBTREE, SCOPE_BASE,
                 MessageElement, Message, Dn, LdbError)
 from samba import param, dsdb, Ldb
 from samba.common import confirm
+from samba.provision.descriptor import get_wellknown_sds, get_empty_descriptor
 from samba.provision import (find_provision_key_parameters,
-                            get_empty_descriptor,
-                            get_config_descriptor,
-                            get_config_partitions_descriptor,
-                            get_config_sites_descriptor,
-                            get_config_ntds_quotas_descriptor,
-                            get_config_delete_protected1_descriptor,
-                            get_config_delete_protected1wd_descriptor,
-                            get_config_delete_protected2_descriptor,
-                            get_domain_descriptor,
-                            get_domain_infrastructure_descriptor,
-                            get_domain_builtin_descriptor,
-                            get_domain_computers_descriptor,
-                            get_domain_users_descriptor,
-                            get_domain_controllers_descriptor,
-                            get_domain_delete_protected1_descriptor,
-                            get_domain_delete_protected2_descriptor,
-                            get_dns_partition_descriptor,
-                            get_dns_forest_microsoft_dns_descriptor,
-                            get_dns_domain_microsoft_dns_descriptor,
                             ProvisioningError, get_last_provision_usn,
                             get_max_usn, update_provision_usn, setup_path)
 from samba.schema import get_linked_attributes, Schema, get_schema_descriptor
@@ -1229,58 +1211,7 @@ def fix_wellknown_sd(samdb, names):
 
     list_wellknown_dns = []
 
-    # Then subcontainers
-    subcontainers = [
-        ("%s" % str(names.domaindn), get_domain_descriptor),
-        ("CN=LostAndFound,%s" % str(names.domaindn), get_domain_delete_protected2_descriptor),
-        ("CN=System,%s" % str(names.domaindn), get_domain_delete_protected1_descriptor),
-        ("CN=Infrastructure,%s" % str(names.domaindn), get_domain_infrastructure_descriptor),
-        ("CN=Builtin,%s" % str(names.domaindn), get_domain_builtin_descriptor),
-        ("CN=Computers,%s" % str(names.domaindn), get_domain_computers_descriptor),
-        ("CN=Users,%s" % str(names.domaindn), get_domain_users_descriptor),
-        ("OU=Domain Controllers,%s" % str(names.domaindn), get_domain_controllers_descriptor),
-        ("CN=MicrosoftDNS,CN=System,%s" % str(names.domaindn), get_dns_domain_microsoft_dns_descriptor),
-
-        ("%s" % str(names.configdn), get_config_descriptor),
-        ("CN=NTDS Quotas,%s" % str(names.configdn), get_config_ntds_quotas_descriptor),
-        ("CN=LostAndFoundConfig,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor),
-        ("CN=Services,%s" % str(names.configdn), get_config_delete_protected1_descriptor),
-        ("CN=Physical Locations,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor),
-        ("CN=WellKnown Security Principals,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor),
-        ("CN=ForestUpdates,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor),
-        ("CN=DisplaySpecifiers,%s" % str(names.configdn), get_config_delete_protected2_descriptor),
-        ("CN=Extended-Rights,%s" % str(names.configdn), get_config_delete_protected2_descriptor),
-        ("CN=Partitions,%s" % str(names.configdn), get_config_partitions_descriptor),
-        ("CN=Sites,%s" % str(names.configdn), get_config_sites_descriptor),
-
-        ("%s" % str(names.schemadn), get_schema_descriptor),
-    ]
-
-    if names.dnsforestdn is not None:
-        c = ("%s" % str(names.dnsforestdn), get_dns_partition_descriptor)
-        subcontainers.append(c)
-        c = ("CN=Infrastructure,%s" % str(names.dnsforestdn),
-             get_domain_delete_protected1_descriptor)
-        subcontainers.append(c)
-        c = ("CN=LostAndFound,%s" % str(names.dnsforestdn),
-             get_domain_delete_protected2_descriptor)
-        subcontainers.append(c)
-        c = ("CN=MicrosoftDNS,%s" % str(names.dnsforestdn),
-             get_dns_forest_microsoft_dns_descriptor)
-        subcontainers.append(c)
-
-    if names.dnsdomaindn is not None:
-        c = ("%s" % str(names.dnsdomaindn), get_dns_partition_descriptor)
-        subcontainers.append(c)
-        c = ("CN=Infrastructure,%s" % str(names.dnsdomaindn),
-             get_domain_delete_protected1_descriptor)
-        subcontainers.append(c)
-        c = ("CN=LostAndFound,%s" % str(names.dnsdomaindn),
-             get_domain_delete_protected2_descriptor)
-        subcontainers.append(c)
-        c = ("CN=MicrosoftDNS,%s" % str(names.dnsdomaindn),
-             get_dns_domain_microsoft_dns_descriptor)
-        subcontainers.append(c)
+    subcontainers = get_wellknown_sds(names)
 
     for [strdn, descriptor_fn] in subcontainers:
         dn = Dn(samdb, strdn)
-- 
1.7.11.7


From 25b4bec0b815cd4889b316e61d2ab79286981ffc Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 20 Mar 2013 14:50:55 +1100
Subject: [PATCH 02/12] scripting: Fix documentation comment on
 upgradehelpers.py:get_clean_sd

Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 6df17fe799968ca7e2f92ce9e294e3962ac8cbaf)
---
 python/samba/upgradehelpers.py | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/python/samba/upgradehelpers.py b/python/samba/upgradehelpers.py
index 298e767..13a3691 100644
--- a/python/samba/upgradehelpers.py
+++ b/python/samba/upgradehelpers.py
@@ -347,15 +347,10 @@ def chunck_sddl(sddl):
 
 
 def get_clean_sd(sd):
-    """Get the SD without difference between 2 sddl
+    """Get the SD without any inherited ACEs
 
-    This function split the textual representation of ACL into smaller
-    chunck in order to not to report a simple permutation as a difference
-
-    :param refsddl: First sddl to compare
-    :param cursddl: Second sddl to compare
-    :param checkSacl: If false we skip the sacl checks
-    :return: A string that explain difference between sddls
+    :param sd: SD to strip
+    :return: An SD with inherited ACEs stripped
     """
 
     sd_clean = security.descriptor()
-- 
1.7.11.7


From 5e573befced1c81de9b8b5fcb3ccb2b43cd1935d Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 21 Mar 2013 12:49:46 +1100
Subject: [PATCH 03/12] scripting: Make
 samba.provision.descriptor.get_wellknown_sds() return
 ldb.Dn objects

As we look to use this function in more places, it does not make sense to constantly create
Dn objects from the strings.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit e81a97dd6fc2da701f2cbf42513311a7a44adad3)
---
 python/samba/provision/descriptor.py         | 65 ++++++++++++++--------------
 source4/scripting/bin/samba_upgradeprovision |  5 +--
 2 files changed, 35 insertions(+), 35 deletions(-)

diff --git a/python/samba/provision/descriptor.py b/python/samba/provision/descriptor.py
index df541c2..9916a22 100644
--- a/python/samba/provision/descriptor.py
+++ b/python/samba/provision/descriptor.py
@@ -29,6 +29,7 @@
 from samba.dcerpc import security
 from samba.ndr import ndr_pack
 from samba.schema import get_schema_descriptor
+import ldb
 
 # Descriptors of naming contexts and other important objects
 
@@ -359,58 +360,58 @@ def get_dns_domain_microsoft_dns_descriptor(domain_sid, name_map={}):
     "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)"
     return sddl2binary(sddl, domain_sid, name_map)
 
-def get_wellknown_sds(names):
+def get_wellknown_sds(names, samdb):
 
     # Then subcontainers
     subcontainers = [
-        ("%s" % str(names.domaindn), get_domain_descriptor),
-        ("CN=LostAndFound,%s" % str(names.domaindn), get_domain_delete_protected2_descriptor),
-        ("CN=System,%s" % str(names.domaindn), get_domain_delete_protected1_descriptor),
-        ("CN=Infrastructure,%s" % str(names.domaindn), get_domain_infrastructure_descriptor),
-        ("CN=Builtin,%s" % str(names.domaindn), get_domain_builtin_descriptor),
-        ("CN=Computers,%s" % str(names.domaindn), get_domain_computers_descriptor),
-        ("CN=Users,%s" % str(names.domaindn), get_domain_users_descriptor),
-        ("OU=Domain Controllers,%s" % str(names.domaindn), get_domain_controllers_descriptor),
-        ("CN=MicrosoftDNS,CN=System,%s" % str(names.domaindn), get_dns_domain_microsoft_dns_descriptor),
-
-        ("%s" % str(names.configdn), get_config_descriptor),
-        ("CN=NTDS Quotas,%s" % str(names.configdn), get_config_ntds_quotas_descriptor),
-        ("CN=LostAndFoundConfig,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor),
-        ("CN=Services,%s" % str(names.configdn), get_config_delete_protected1_descriptor),
-        ("CN=Physical Locations,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor),
-        ("CN=WellKnown Security Principals,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor),
-        ("CN=ForestUpdates,%s" % str(names.configdn), get_config_delete_protected1wd_descriptor),
-        ("CN=DisplaySpecifiers,%s" % str(names.configdn), get_config_delete_protected2_descriptor),
-        ("CN=Extended-Rights,%s" % str(names.configdn), get_config_delete_protected2_descriptor),
-        ("CN=Partitions,%s" % str(names.configdn), get_config_partitions_descriptor),
-        ("CN=Sites,%s" % str(names.configdn), get_config_sites_descriptor),
-
-        ("%s" % str(names.schemadn), get_schema_descriptor),
+        (ldb.Dn(samdb, "%s" % str(names.domaindn)), get_domain_descriptor),
+        (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.domaindn)), get_domain_delete_protected2_descriptor),
+        (ldb.Dn(samdb, "CN=System,%s" % str(names.domaindn)), get_domain_delete_protected1_descriptor),
+        (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.domaindn)), get_domain_infrastructure_descriptor),
+        (ldb.Dn(samdb, "CN=Builtin,%s" % str(names.domaindn)), get_domain_builtin_descriptor),
+        (ldb.Dn(samdb, "CN=Computers,%s" % str(names.domaindn)), get_domain_computers_descriptor),
+        (ldb.Dn(samdb, "CN=Users,%s" % str(names.domaindn)), get_domain_users_descriptor),
+        (ldb.Dn(samdb, "OU=Domain Controllers,%s" % str(names.domaindn)), get_domain_controllers_descriptor),
+        (ldb.Dn(samdb, "CN=MicrosoftDNS,CN=System,%s" % str(names.domaindn)), get_dns_domain_microsoft_dns_descriptor),
+
+        (ldb.Dn(samdb, "%s" % str(names.configdn)), get_config_descriptor),
+        (ldb.Dn(samdb, "CN=NTDS Quotas,%s" % str(names.configdn)), get_config_ntds_quotas_descriptor),
+        (ldb.Dn(samdb, "CN=LostAndFoundConfig,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor),
+        (ldb.Dn(samdb, "CN=Services,%s" % str(names.configdn)), get_config_delete_protected1_descriptor),
+        (ldb.Dn(samdb, "CN=Physical Locations,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor),
+        (ldb.Dn(samdb, "CN=WellKnown Security Principals,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor),
+        (ldb.Dn(samdb, "CN=ForestUpdates,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor),
+        (ldb.Dn(samdb, "CN=DisplaySpecifiers,%s" % str(names.configdn)), get_config_delete_protected2_descriptor),
+        (ldb.Dn(samdb, "CN=Extended-Rights,%s" % str(names.configdn)), get_config_delete_protected2_descriptor),
+        (ldb.Dn(samdb, "CN=Partitions,%s" % str(names.configdn)), get_config_partitions_descriptor),
+        (ldb.Dn(samdb, "CN=Sites,%s" % str(names.configdn)), get_config_sites_descriptor),
+
+        (ldb.Dn(samdb, "%s" % str(names.schemadn)), get_schema_descriptor),
     ]
 
     if names.dnsforestdn is not None:
-        c = ("%s" % str(names.dnsforestdn), get_dns_partition_descriptor)
+        c = (ldb.Dn(samdb, "%s" % str(names.dnsforestdn)), get_dns_partition_descriptor)
         subcontainers.append(c)
-        c = ("CN=Infrastructure,%s" % str(names.dnsforestdn),
+        c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.dnsforestdn)),
              get_domain_delete_protected1_descriptor)
         subcontainers.append(c)
-        c = ("CN=LostAndFound,%s" % str(names.dnsforestdn),
+        c = (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.dnsforestdn)),
              get_domain_delete_protected2_descriptor)
         subcontainers.append(c)
-        c = ("CN=MicrosoftDNS,%s" % str(names.dnsforestdn),
+        c = (ldb.Dn(samdb, "CN=MicrosoftDNS,%s" % str(names.dnsforestdn)),
              get_dns_forest_microsoft_dns_descriptor)
         subcontainers.append(c)
 
     if names.dnsdomaindn is not None:
-        c = ("%s" % str(names.dnsdomaindn), get_dns_partition_descriptor)
+        c = (ldb.Dn(samdb, "%s" % str(names.dnsdomaindn)), get_dns_partition_descriptor)
         subcontainers.append(c)
-        c = ("CN=Infrastructure,%s" % str(names.dnsdomaindn),
+        c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.dnsdomaindn)),
              get_domain_delete_protected1_descriptor)
         subcontainers.append(c)
-        c = ("CN=LostAndFound,%s" % str(names.dnsdomaindn),
+        c = (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.dnsdomaindn)),
              get_domain_delete_protected2_descriptor)
         subcontainers.append(c)
-        c = ("CN=MicrosoftDNS,%s" % str(names.dnsdomaindn),
+        c = (ldb.Dn(samdb, "CN=MicrosoftDNS,%s" % str(names.dnsdomaindn)),
              get_dns_domain_microsoft_dns_descriptor)
         subcontainers.append(c)
 
diff --git a/source4/scripting/bin/samba_upgradeprovision b/source4/scripting/bin/samba_upgradeprovision
index 0ca70b5..c6fc8f2 100755
--- a/source4/scripting/bin/samba_upgradeprovision
+++ b/source4/scripting/bin/samba_upgradeprovision
@@ -1211,10 +1211,9 @@ def fix_wellknown_sd(samdb, names):
 
     list_wellknown_dns = []
 
-    subcontainers = get_wellknown_sds(names)
+    subcontainers = get_wellknown_sds(names, samdb)
 
-    for [strdn, descriptor_fn] in subcontainers:
-        dn = Dn(samdb, strdn)
+    for [dn, descriptor_fn] in subcontainers:
         list_wellknown_dns.append(dn)
         if dn in dnToRecalculate:
             delta = Message()
-- 
1.7.11.7


From 6388e27d945f42ce1bfbc12e5d2d411b7200b561 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 21 Mar 2013 13:34:26 +1100
Subject: [PATCH 04/12] scripting: Move samba.provision.descriptor to
 samba.descriptor

This will allow dbcheck to import it, without a cirucular dependency via
samba.provision importing dbcheck.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 352aff8ed7e06c14b7a00a56b31c79ffddf71dd4)
---
 python/samba/descriptor.py                   | 418 +++++++++++++++++++++++++++
 python/samba/provision/__init__.py           |   2 +-
 python/samba/provision/descriptor.py         | 418 ---------------------------
 python/samba/provision/sambadns.py           |   2 +-
 source4/scripting/bin/samba_upgradeprovision |   2 +-
 5 files changed, 421 insertions(+), 421 deletions(-)
 create mode 100644 python/samba/descriptor.py
 delete mode 100644 python/samba/provision/descriptor.py

diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py
new file mode 100644
index 0000000..9916a22
--- /dev/null
+++ b/python/samba/descriptor.py
@@ -0,0 +1,418 @@
+
+# Unix SMB/CIFS implementation.
+# backend code for provisioning a Samba4 server
+
+# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2010
+# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008-2009
+# Copyright (C) Oliver Liebel <oliver@itc.li> 2008-2009
+# Copyright (C) Amitay Isaacs <amitay@samba.org> 2011
+#
+# Based on the original in EJS:
+# Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+"""Functions for setting up a Samba configuration (security descriptors)."""
+
+from samba.dcerpc import security
+from samba.ndr import ndr_pack
+from samba.schema import get_schema_descriptor
+import ldb
+
+# Descriptors of naming contexts and other important objects
+
+def sddl2binary(sddl_in, domain_sid, name_map):
+    sddl = "%s" % sddl_in
+
+    for [name, sid] in name_map.items():
+        sddl = sddl.replace(name, sid)
+
+    sec = security.descriptor.from_sddl(sddl, domain_sid)
+    return ndr_pack(sec)
+
+def get_empty_descriptor(domain_sid, name_map={}):
+    sddl= ""
+    return sddl2binary(sddl, domain_sid, name_map)
+
+# "get_schema_descriptor" is located in "schema.py"
+
+def get_config_descriptor(domain_sid, name_map={}):
+    sddl = "O:EAG:EAD:(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+           "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+           "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+           "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+           "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+           "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+           "(A;;RPLCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \
+           "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIIO;RPWPCRCCLCLORCWOWDSDSW;;;DA)" \
+           "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+           "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \
+           "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+           "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \
+           "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \
+           "S:(AU;SA;WPWOWD;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)" \
+           "(OU;SA;CR;45ec5156-db7e-47bb-b53f-dbeb2d03c40f;;WD)"
+    return sddl2binary(sddl, domain_sid, name_map)
+
+def get_config_partitions_descriptor(domain_sid, name_map={}):
+    sddl = "D:" \
+    "(A;;LCLORC;;;AU)" \
+    "(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)" \
+    "(OA;;RP;d31a8757-2447-4545-8081-3bb610cacbf2;;AU)" \
+    "(OA;;RP;66171887-8f3c-11d0-afda-00c04fd930c9;;AU)" \
+    "(OA;;RP;032160bf-9824-11d1-aec0-0000f80367c1;;AU)" \
+    "(OA;;RP;789ee1eb-8c8e-4e4c-8cec-79b31b7617b5;;AU)" \
+    "(OA;;RP;5706aeaf-b940-4fb2-bcfc-5268683ad9fe;;AU)" \
+    "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+    "(A;;CC;;;ED)" \
+    "(OA;CIIO;WP;3df793df-9858-4417-a701-735a1ecebf74;bf967a8d-0de6-11d0-a285-00aa003049e2;BA)" \
+    "S:" \
+    "(AU;CISA;WPCRCCDCWOWDSDDT;;;WD)"
+    return sddl2binary(sddl, domain_sid, name_map)
+
+def get_config_sites_descriptor(domain_sid, name_map={}):
+    sddl = "D:" \
+    "(A;;RPLCLORC;;;AU)" \
+    "(OA;CIIO;SW;d31a8757-2447-4545-8081-3bb610cacbf2;f0f8ffab-1191-11d0-a060-00aa006c33ed;ER)" \
+    "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+    "S:" \
+    "(AU;CISA;CCDCSDDT;;;WD)" \
+    "(OU;CIIOSA;CR;;f0f8ffab-1191-11d0-a060-00aa006c33ed;WD)" \
+    "(OU;CIIOSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)" \
+    "(OU;CIIOSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)" \
+    "(OU;CIIOSA;WP;3e10944c-c354-11d0-aff8-0000f80367c1;b7b13124-b82e-11d0-afee-0000f80367c1;WD)"
+    return sddl2binary(sddl, domain_sid, name_map)
+
+def get_config_ntds_quotas_descriptor(domain_sid, name_map={}):
+    sddl = "D:" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \
+    "(A;;RPLCLORC;;;BA)" \
+    "(OA;;CR;4ecc03fe-ffc0-4947-b630-eb672a8a9dbc;;WD)"
+    return sddl2binary(sddl, domain_sid, name_map)
+
+def get_config_delete_protected1_descriptor(domain_sid, name_map={}):
+    sddl = "D:AI" \
+    "(A;;RPLCLORC;;;AU)" \
+    "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)"
+    return sddl2binary(sddl, domain_sid, name_map)
+
+def get_config_delete_protected1wd_descriptor(domain_sid, name_map={}):
+    sddl = "D:AI" \
+    "(A;;RPLCLORC;;;WD)" \
+    "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)"
+    return sddl2binary(sddl, domain_sid, name_map)
+
+def get_config_delete_protected2_descriptor(domain_sid, name_map={}):
+    sddl = "D:AI" \
+    "(A;;RPLCLORC;;;AU)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSW;;;EA)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)"
+    return sddl2binary(sddl, domain_sid, name_map)
+
+def get_domain_descriptor(domain_sid, name_map={}):
+    sddl= "O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+        "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+    "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+    "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+    "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+    "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \
+    "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)" \
+    "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)" \
+    "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)" \
+    "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)" \
+    "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \
+    "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+    "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+    "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+    "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+    "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+    "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;IF)" \
+    "(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)" \
+    "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)" \
+    "(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+    "(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)" \
+    "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \
+    "(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)" \
+    "(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)" \
+    "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+    "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+    "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+    "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+    "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)" \
+    "(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)" \
+    "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \
+    "(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \
+    "(A;;RPRC;;;RU)" \
+    "(A;CI;LC;;;RU)" \
+    "(A;CI;RPWPCRCCLCLORCWOWDSDSW;;;BA)" \
+    "(A;;RP;;;WD)" \
+    "(A;;RPLCLORC;;;ED)" \
+    "(A;;RPLCLORC;;;AU)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+    "S:AI(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \
+    "(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \
+    "(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWOWD;;;WD)"
+    return sddl2binary(sddl, domain_sid, name_map)
+
+def get_domain_infrastructure_descriptor(domain_sid, name_map={}):
+    sddl = "D:" \
+    "(A;;RPLCLORC;;;AU)" \
+    "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+    "S:" \
+    "(AU;SA;WPCR;;;WD)"
+    return sddl2binary(sddl, domain_sid, name_map)
+
+def get_domain_builtin_descriptor(domain_sid, name_map={}):
+    sddl = "D:" \
+    "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+    "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+    "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+    "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+    "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+    "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \
+    "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)" \
+    "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)" \
+    "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)" \
+    "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)" \
+    "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \
+    "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+    "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+    "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+    "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+    "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+    "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;IF)" \
+    "(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)" \
+    "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)" \
+    "(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+    "(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)" \
+    "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \
+    "(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)" \
+    "(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)" \
+    "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+    "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+    "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+    "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+    "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)" \
+    "(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)" \
+    "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \
+    "(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \
+    "(A;;RPRC;;;RU)" \
+    "(A;CI;LC;;;RU)" \
+    "(A;CI;RPWPCRCCLCLORCWOWDSDSW;;;BA)" \
+    "(A;;RP;;;WD)" \
+    "(A;;RPLCLORC;;;ED)" \
+    "(A;;RPLCLORC;;;AU)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+    "S:" \
+    "(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \
+    "(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \
+    "(AU;SA;CR;;;DU)" \
+    "(AU;SA;CR;;;BA)" \
+    "(AU;SA;WPWOWD;;;WD)"
+    return sddl2binary(sddl, domain_sid, name_map)
+
+def get_domain_computers_descriptor(domain_sid, name_map={}):
+    sddl = "D:" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \
+    "(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)" \
+    "(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)" \
+    "(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)" \
+    "(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)" \
+    "(A;;RPLCLORC;;;AU)" \
+    "(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)" \
+    "S:"
+    return sddl2binary(sddl, domain_sid, name_map)
+
+def get_domain_users_descriptor(domain_sid, name_map={}):
+    sddl = "D:" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \
+    "(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)" \
+    "(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)" \
+    "(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)" \
+    "(A;;RPLCLORC;;;AU)" \
+    "(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)" \
+    "S:"
+    return sddl2binary(sddl, domain_sid, name_map)
+
+def get_domain_controllers_descriptor(domain_sid, name_map={}):
+    sddl = "D:" \
+    "(A;;RPLCLORC;;;AU)" \
+    "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+    "(A;;RPLCLORC;;;ED)" \
+    "S:" \
+    "(AU;SA;CCDCWOWDSDDT;;;WD)" \
+    "(AU;CISA;WP;;;WD)"
+    return sddl2binary(sddl, domain_sid, name_map)
+
+def get_domain_delete_protected1_descriptor(domain_sid, name_map={}):
+    sddl = "D:AI" \
+    "(A;;RPLCLORC;;;AU)" \
+    "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)"
+    return sddl2binary(sddl, domain_sid, name_map)
+
+def get_domain_delete_protected2_descriptor(domain_sid, name_map={}):
+    sddl = "D:AI" \
+    "(A;;RPLCLORC;;;AU)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)"
+    return sddl2binary(sddl, domain_sid, name_map)
+
+def get_dns_partition_descriptor(domain_sid, name_map={}):
+    sddl = "O:SYG:BAD:AI" \
+    "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+    "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+    "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+    "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+    "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+    "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \
+    "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)" \
+    "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)" \
+    "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)" \
+    "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \
+    "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+    "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+    "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+    "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+    "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
+    "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;IF)" \
+    "(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)" \
+    "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)" \
+    "(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
+    "(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
+    "(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)" \
+    "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \
+    "(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)" \
+    "(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)" \
+    "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+    "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+    "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+    "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+    "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
+    "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)" \
+    "(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)" \
+    "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \
+    "(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \
+    "(A;;RPRC;;;RU)" \
+    "(A;CI;LC;;;RU)" \
+    "(A;CI;RPWPCRCCLCLORCWOWDSDSW;;;BA)" \
+    "(A;;RP;;;WD)" \
+    "(A;;RPLCLORC;;;ED)" \
+    "(A;;RPLCLORC;;;AU)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+    "S:AI" \
+    "(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \
+    "(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \
+    "(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWOWD;;;WD)"
+    return sddl2binary(sddl, domain_sid, name_map)
+
+def get_dns_forest_microsoft_dns_descriptor(domain_sid, name_map={}):
+    sddl = "O:SYG:SYD:AI" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+    "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)"
+    return sddl2binary(sddl, domain_sid, name_map)
+
+def get_dns_domain_microsoft_dns_descriptor(domain_sid, name_map={}):
+    sddl = "O:SYG:SYD:AI" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" \
+    "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;DnsAdmins)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+    "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)"
+    return sddl2binary(sddl, domain_sid, name_map)
+
+def get_wellknown_sds(names, samdb):
+
+    # Then subcontainers
+    subcontainers = [
+        (ldb.Dn(samdb, "%s" % str(names.domaindn)), get_domain_descriptor),
+        (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.domaindn)), get_domain_delete_protected2_descriptor),
+        (ldb.Dn(samdb, "CN=System,%s" % str(names.domaindn)), get_domain_delete_protected1_descriptor),
+        (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.domaindn)), get_domain_infrastructure_descriptor),
+        (ldb.Dn(samdb, "CN=Builtin,%s" % str(names.domaindn)), get_domain_builtin_descriptor),
+        (ldb.Dn(samdb, "CN=Computers,%s" % str(names.domaindn)), get_domain_computers_descriptor),
+        (ldb.Dn(samdb, "CN=Users,%s" % str(names.domaindn)), get_domain_users_descriptor),
+        (ldb.Dn(samdb, "OU=Domain Controllers,%s" % str(names.domaindn)), get_domain_controllers_descriptor),
+        (ldb.Dn(samdb, "CN=MicrosoftDNS,CN=System,%s" % str(names.domaindn)), get_dns_domain_microsoft_dns_descriptor),
+
+        (ldb.Dn(samdb, "%s" % str(names.configdn)), get_config_descriptor),
+        (ldb.Dn(samdb, "CN=NTDS Quotas,%s" % str(names.configdn)), get_config_ntds_quotas_descriptor),
+        (ldb.Dn(samdb, "CN=LostAndFoundConfig,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor),
+        (ldb.Dn(samdb, "CN=Services,%s" % str(names.configdn)), get_config_delete_protected1_descriptor),
+        (ldb.Dn(samdb, "CN=Physical Locations,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor),
+        (ldb.Dn(samdb, "CN=WellKnown Security Principals,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor),
+        (ldb.Dn(samdb, "CN=ForestUpdates,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor),
+        (ldb.Dn(samdb, "CN=DisplaySpecifiers,%s" % str(names.configdn)), get_config_delete_protected2_descriptor),
+        (ldb.Dn(samdb, "CN=Extended-Rights,%s" % str(names.configdn)), get_config_delete_protected2_descriptor),
+        (ldb.Dn(samdb, "CN=Partitions,%s" % str(names.configdn)), get_config_partitions_descriptor),
+        (ldb.Dn(samdb, "CN=Sites,%s" % str(names.configdn)), get_config_sites_descriptor),
+
+        (ldb.Dn(samdb, "%s" % str(names.schemadn)), get_schema_descriptor),
+    ]
+
+    if names.dnsforestdn is not None:
+        c = (ldb.Dn(samdb, "%s" % str(names.dnsforestdn)), get_dns_partition_descriptor)
+        subcontainers.append(c)
+        c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.dnsforestdn)),
+             get_domain_delete_protected1_descriptor)
+        subcontainers.append(c)
+        c = (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.dnsforestdn)),
+             get_domain_delete_protected2_descriptor)
+        subcontainers.append(c)
+        c = (ldb.Dn(samdb, "CN=MicrosoftDNS,%s" % str(names.dnsforestdn)),
+             get_dns_forest_microsoft_dns_descriptor)
+        subcontainers.append(c)
+
+    if names.dnsdomaindn is not None:
+        c = (ldb.Dn(samdb, "%s" % str(names.dnsdomaindn)), get_dns_partition_descriptor)
+        subcontainers.append(c)
+        c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.dnsdomaindn)),
+             get_domain_delete_protected1_descriptor)
+        subcontainers.append(c)
+        c = (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.dnsdomaindn)),
+             get_domain_delete_protected2_descriptor)
+        subcontainers.append(c)
+        c = (ldb.Dn(samdb, "CN=MicrosoftDNS,%s" % str(names.dnsdomaindn)),
+             get_dns_domain_microsoft_dns_descriptor)
+        subcontainers.append(c)
+
+    return subcontainers
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index a5385e7..32baac6 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -76,7 +76,7 @@ from samba.provision.backend import (
     LDBBackend,
     OpenLDAPBackend,
     )
-from samba.provision.descriptor import (
+from samba.descriptor import (
     get_empty_descriptor,
     get_config_descriptor,
     get_config_partitions_descriptor,
diff --git a/python/samba/provision/descriptor.py b/python/samba/provision/descriptor.py
deleted file mode 100644
index 9916a22..0000000
--- a/python/samba/provision/descriptor.py
+++ /dev/null
@@ -1,418 +0,0 @@
-
-# Unix SMB/CIFS implementation.
-# backend code for provisioning a Samba4 server
-
-# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2010
-# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008-2009
-# Copyright (C) Oliver Liebel <oliver@itc.li> 2008-2009
-# Copyright (C) Amitay Isaacs <amitay@samba.org> 2011
-#
-# Based on the original in EJS:
-# Copyright (C) Andrew Tridgell <tridge@samba.org> 2005
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-
-"""Functions for setting up a Samba configuration (security descriptors)."""
-
-from samba.dcerpc import security
-from samba.ndr import ndr_pack
-from samba.schema import get_schema_descriptor
-import ldb
-
-# Descriptors of naming contexts and other important objects
-
-def sddl2binary(sddl_in, domain_sid, name_map):
-    sddl = "%s" % sddl_in
-
-    for [name, sid] in name_map.items():
-        sddl = sddl.replace(name, sid)
-
-    sec = security.descriptor.from_sddl(sddl, domain_sid)
-    return ndr_pack(sec)
-
-def get_empty_descriptor(domain_sid, name_map={}):
-    sddl= ""
-    return sddl2binary(sddl, domain_sid, name_map)
-
-# "get_schema_descriptor" is located in "schema.py"
-
-def get_config_descriptor(domain_sid, name_map={}):
-    sddl = "O:EAG:EAD:(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
-           "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
-           "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
-           "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
-           "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
-           "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
-           "(A;;RPLCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \
-           "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIIO;RPWPCRCCLCLORCWOWDSDSW;;;DA)" \
-           "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
-           "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \
-           "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
-           "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \
-           "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \
-           "S:(AU;SA;WPWOWD;;;WD)(AU;SA;CR;;;BA)(AU;SA;CR;;;DU)" \
-           "(OU;SA;CR;45ec5156-db7e-47bb-b53f-dbeb2d03c40f;;WD)"
-    return sddl2binary(sddl, domain_sid, name_map)
-
-def get_config_partitions_descriptor(domain_sid, name_map={}):
-    sddl = "D:" \
-    "(A;;LCLORC;;;AU)" \
-    "(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)" \
-    "(OA;;RP;d31a8757-2447-4545-8081-3bb610cacbf2;;AU)" \
-    "(OA;;RP;66171887-8f3c-11d0-afda-00c04fd930c9;;AU)" \
-    "(OA;;RP;032160bf-9824-11d1-aec0-0000f80367c1;;AU)" \
-    "(OA;;RP;789ee1eb-8c8e-4e4c-8cec-79b31b7617b5;;AU)" \
-    "(OA;;RP;5706aeaf-b940-4fb2-bcfc-5268683ad9fe;;AU)" \
-    "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
-    "(A;;CC;;;ED)" \
-    "(OA;CIIO;WP;3df793df-9858-4417-a701-735a1ecebf74;bf967a8d-0de6-11d0-a285-00aa003049e2;BA)" \
-    "S:" \
-    "(AU;CISA;WPCRCCDCWOWDSDDT;;;WD)"
-    return sddl2binary(sddl, domain_sid, name_map)
-
-def get_config_sites_descriptor(domain_sid, name_map={}):
-    sddl = "D:" \
-    "(A;;RPLCLORC;;;AU)" \
-    "(OA;CIIO;SW;d31a8757-2447-4545-8081-3bb610cacbf2;f0f8ffab-1191-11d0-a060-00aa006c33ed;ER)" \
-    "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
-    "S:" \
-    "(AU;CISA;CCDCSDDT;;;WD)" \
-    "(OU;CIIOSA;CR;;f0f8ffab-1191-11d0-a060-00aa006c33ed;WD)" \
-    "(OU;CIIOSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)" \
-    "(OU;CIIOSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)" \
-    "(OU;CIIOSA;WP;3e10944c-c354-11d0-aff8-0000f80367c1;b7b13124-b82e-11d0-afee-0000f80367c1;WD)"
-    return sddl2binary(sddl, domain_sid, name_map)
-
-def get_config_ntds_quotas_descriptor(domain_sid, name_map={}):
-    sddl = "D:" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \
-    "(A;;RPLCLORC;;;BA)" \
-    "(OA;;CR;4ecc03fe-ffc0-4947-b630-eb672a8a9dbc;;WD)"
-    return sddl2binary(sddl, domain_sid, name_map)
-
-def get_config_delete_protected1_descriptor(domain_sid, name_map={}):
-    sddl = "D:AI" \
-    "(A;;RPLCLORC;;;AU)" \
-    "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)"
-    return sddl2binary(sddl, domain_sid, name_map)
-
-def get_config_delete_protected1wd_descriptor(domain_sid, name_map={}):
-    sddl = "D:AI" \
-    "(A;;RPLCLORC;;;WD)" \
-    "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)"
-    return sddl2binary(sddl, domain_sid, name_map)
-
-def get_config_delete_protected2_descriptor(domain_sid, name_map={}):
-    sddl = "D:AI" \
-    "(A;;RPLCLORC;;;AU)" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSW;;;EA)" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)"
-    return sddl2binary(sddl, domain_sid, name_map)
-
-def get_domain_descriptor(domain_sid, name_map={}):
-    sddl= "O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
-        "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
-    "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
-    "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
-    "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
-    "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
-    "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
-    "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
-    "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
-    "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
-    "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \
-    "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)" \
-    "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)" \
-    "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)" \
-    "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)" \
-    "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \
-    "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
-    "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
-    "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
-    "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
-    "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
-    "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;IF)" \
-    "(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)" \
-    "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)" \
-    "(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
-    "(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)" \
-    "(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
-    "(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)" \
-    "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \
-    "(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)" \
-    "(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)" \
-    "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
-    "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
-    "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
-    "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
-    "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)" \
-    "(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)" \
-    "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \
-    "(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \
-    "(A;;RPRC;;;RU)" \
-    "(A;CI;LC;;;RU)" \
-    "(A;CI;RPWPCRCCLCLORCWOWDSDSW;;;BA)" \
-    "(A;;RP;;;WD)" \
-    "(A;;RPLCLORC;;;ED)" \
-    "(A;;RPLCLORC;;;AU)" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
-    "S:AI(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \
-    "(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \
-    "(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWOWD;;;WD)"
-    return sddl2binary(sddl, domain_sid, name_map)
-
-def get_domain_infrastructure_descriptor(domain_sid, name_map={}):
-    sddl = "D:" \
-    "(A;;RPLCLORC;;;AU)" \
-    "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
-    "S:" \
-    "(AU;SA;WPCR;;;WD)"
-    return sddl2binary(sddl, domain_sid, name_map)
-
-def get_domain_builtin_descriptor(domain_sid, name_map={}):
-    sddl = "D:" \
-    "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
-    "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
-    "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
-    "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
-    "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
-    "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
-    "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
-    "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
-    "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
-    "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
-    "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \
-    "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)" \
-    "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)" \
-    "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)" \
-    "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)" \
-    "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \
-    "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
-    "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
-    "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
-    "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
-    "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
-    "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;IF)" \
-    "(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)" \
-    "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)" \
-    "(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
-    "(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)" \
-    "(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
-    "(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)" \
-    "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \
-    "(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)" \
-    "(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)" \
-    "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
-    "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
-    "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
-    "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
-    "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)" \
-    "(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)" \
-    "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \
-    "(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \
-    "(A;;RPRC;;;RU)" \
-    "(A;CI;LC;;;RU)" \
-    "(A;CI;RPWPCRCCLCLORCWOWDSDSW;;;BA)" \
-    "(A;;RP;;;WD)" \
-    "(A;;RPLCLORC;;;ED)" \
-    "(A;;RPLCLORC;;;AU)" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
-    "S:" \
-    "(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \
-    "(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \
-    "(AU;SA;CR;;;DU)" \
-    "(AU;SA;CR;;;BA)" \
-    "(AU;SA;WPWOWD;;;WD)"
-    return sddl2binary(sddl, domain_sid, name_map)
-
-def get_domain_computers_descriptor(domain_sid, name_map={}):
-    sddl = "D:" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \
-    "(OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO)" \
-    "(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)" \
-    "(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)" \
-    "(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)" \
-    "(A;;RPLCLORC;;;AU)" \
-    "(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)" \
-    "S:"
-    return sddl2binary(sddl, domain_sid, name_map)
-
-def get_domain_users_descriptor(domain_sid, name_map={}):
-    sddl = "D:" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \
-    "(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)" \
-    "(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)" \
-    "(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)" \
-    "(A;;RPLCLORC;;;AU)" \
-    "(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)" \
-    "S:"
-    return sddl2binary(sddl, domain_sid, name_map)
-
-def get_domain_controllers_descriptor(domain_sid, name_map={}):
-    sddl = "D:" \
-    "(A;;RPLCLORC;;;AU)" \
-    "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
-    "(A;;RPLCLORC;;;ED)" \
-    "S:" \
-    "(AU;SA;CCDCWOWDSDDT;;;WD)" \
-    "(AU;CISA;WP;;;WD)"
-    return sddl2binary(sddl, domain_sid, name_map)
-
-def get_domain_delete_protected1_descriptor(domain_sid, name_map={}):
-    sddl = "D:AI" \
-    "(A;;RPLCLORC;;;AU)" \
-    "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)"
-    return sddl2binary(sddl, domain_sid, name_map)
-
-def get_domain_delete_protected2_descriptor(domain_sid, name_map={}):
-    sddl = "D:AI" \
-    "(A;;RPLCLORC;;;AU)" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)"
-    return sddl2binary(sddl, domain_sid, name_map)
-
-def get_dns_partition_descriptor(domain_sid, name_map={}):
-    sddl = "O:SYG:BAD:AI" \
-    "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
-    "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
-    "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
-    "(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
-    "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
-    "(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
-    "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
-    "(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
-    "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
-    "(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
-    "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \
-    "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)" \
-    "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)" \
-    "(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)" \
-    "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \
-    "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
-    "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
-    "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
-    "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
-    "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \
-    "(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;IF)" \
-    "(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)" \
-    "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)" \
-    "(OA;CIIO;RPLCLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
-    "(OA;CIIO;RPLCLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)" \
-    "(OA;CIIO;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \
-    "(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)" \
-    "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \
-    "(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)" \
-    "(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)" \
-    "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
-    "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
-    "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
-    "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
-    "(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
-    "(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)" \
-    "(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)" \
-    "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \
-    "(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \
-    "(A;;RPRC;;;RU)" \
-    "(A;CI;LC;;;RU)" \
-    "(A;CI;RPWPCRCCLCLORCWOWDSDSW;;;BA)" \
-    "(A;;RP;;;WD)" \
-    "(A;;RPLCLORC;;;ED)" \
-    "(A;;RPLCLORC;;;AU)" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
-    "S:AI" \
-    "(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \
-    "(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)" \
-    "(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWOWD;;;WD)"
-    return sddl2binary(sddl, domain_sid, name_map)
-
-def get_dns_forest_microsoft_dns_descriptor(domain_sid, name_map={}):
-    sddl = "O:SYG:SYD:AI" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
-    "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)"
-    return sddl2binary(sddl, domain_sid, name_map)
-
-def get_dns_domain_microsoft_dns_descriptor(domain_sid, name_map={}):
-    sddl = "O:SYG:SYD:AI" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)" \
-    "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;DnsAdmins)" \
-    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
-    "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)"
-    return sddl2binary(sddl, domain_sid, name_map)
-
-def get_wellknown_sds(names, samdb):
-
-    # Then subcontainers
-    subcontainers = [
-        (ldb.Dn(samdb, "%s" % str(names.domaindn)), get_domain_descriptor),
-        (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.domaindn)), get_domain_delete_protected2_descriptor),
-        (ldb.Dn(samdb, "CN=System,%s" % str(names.domaindn)), get_domain_delete_protected1_descriptor),
-        (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.domaindn)), get_domain_infrastructure_descriptor),
-        (ldb.Dn(samdb, "CN=Builtin,%s" % str(names.domaindn)), get_domain_builtin_descriptor),
-        (ldb.Dn(samdb, "CN=Computers,%s" % str(names.domaindn)), get_domain_computers_descriptor),
-        (ldb.Dn(samdb, "CN=Users,%s" % str(names.domaindn)), get_domain_users_descriptor),
-        (ldb.Dn(samdb, "OU=Domain Controllers,%s" % str(names.domaindn)), get_domain_controllers_descriptor),
-        (ldb.Dn(samdb, "CN=MicrosoftDNS,CN=System,%s" % str(names.domaindn)), get_dns_domain_microsoft_dns_descriptor),
-
-        (ldb.Dn(samdb, "%s" % str(names.configdn)), get_config_descriptor),
-        (ldb.Dn(samdb, "CN=NTDS Quotas,%s" % str(names.configdn)), get_config_ntds_quotas_descriptor),
-        (ldb.Dn(samdb, "CN=LostAndFoundConfig,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor),
-        (ldb.Dn(samdb, "CN=Services,%s" % str(names.configdn)), get_config_delete_protected1_descriptor),
-        (ldb.Dn(samdb, "CN=Physical Locations,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor),
-        (ldb.Dn(samdb, "CN=WellKnown Security Principals,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor),
-        (ldb.Dn(samdb, "CN=ForestUpdates,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor),
-        (ldb.Dn(samdb, "CN=DisplaySpecifiers,%s" % str(names.configdn)), get_config_delete_protected2_descriptor),
-        (ldb.Dn(samdb, "CN=Extended-Rights,%s" % str(names.configdn)), get_config_delete_protected2_descriptor),
-        (ldb.Dn(samdb, "CN=Partitions,%s" % str(names.configdn)), get_config_partitions_descriptor),
-        (ldb.Dn(samdb, "CN=Sites,%s" % str(names.configdn)), get_config_sites_descriptor),
-
-        (ldb.Dn(samdb, "%s" % str(names.schemadn)), get_schema_descriptor),
-    ]
-
-    if names.dnsforestdn is not None:
-        c = (ldb.Dn(samdb, "%s" % str(names.dnsforestdn)), get_dns_partition_descriptor)
-        subcontainers.append(c)
-        c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.dnsforestdn)),
-             get_domain_delete_protected1_descriptor)
-        subcontainers.append(c)
-        c = (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.dnsforestdn)),
-             get_domain_delete_protected2_descriptor)
-        subcontainers.append(c)
-        c = (ldb.Dn(samdb, "CN=MicrosoftDNS,%s" % str(names.dnsforestdn)),
-             get_dns_forest_microsoft_dns_descriptor)
-        subcontainers.append(c)
-
-    if names.dnsdomaindn is not None:
-        c = (ldb.Dn(samdb, "%s" % str(names.dnsdomaindn)), get_dns_partition_descriptor)
-        subcontainers.append(c)
-        c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.dnsdomaindn)),
-             get_domain_delete_protected1_descriptor)
-        subcontainers.append(c)
-        c = (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.dnsdomaindn)),
-             get_domain_delete_protected2_descriptor)
-        subcontainers.append(c)
-        c = (ldb.Dn(samdb, "CN=MicrosoftDNS,%s" % str(names.dnsdomaindn)),
-             get_dns_domain_microsoft_dns_descriptor)
-        subcontainers.append(c)
-
-    return subcontainers
diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py
index 4522683..a5a45cf 100644
--- a/python/samba/provision/sambadns.py
+++ b/python/samba/provision/sambadns.py
@@ -36,7 +36,7 @@ from samba.dsdb import (
     DS_DOMAIN_FUNCTION_2003,
     DS_DOMAIN_FUNCTION_2008_R2
     )
-from samba.provision.descriptor import (
+from samba.descriptor import (
     get_domain_descriptor,
     get_domain_delete_protected1_descriptor,
     get_domain_delete_protected2_descriptor,
diff --git a/source4/scripting/bin/samba_upgradeprovision b/source4/scripting/bin/samba_upgradeprovision
index c6fc8f2..c0ce040 100755
--- a/source4/scripting/bin/samba_upgradeprovision
+++ b/source4/scripting/bin/samba_upgradeprovision
@@ -46,7 +46,7 @@ from ldb import (SCOPE_SUBTREE, SCOPE_BASE,
                 MessageElement, Message, Dn, LdbError)
 from samba import param, dsdb, Ldb
 from samba.common import confirm
-from samba.provision.descriptor import get_wellknown_sds, get_empty_descriptor
+from samba.descriptor import get_wellknown_sds, get_empty_descriptor
 from samba.provision import (find_provision_key_parameters,
                             ProvisioningError, get_last_provision_usn,
                             get_max_usn, update_provision_usn, setup_path)
-- 
1.7.11.7


From bf8f388040bfae4f2941745b1da8d1da50df79ba Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 22 Mar 2013 11:15:38 +1100
Subject: [PATCH 05/12] scripting: Modify samba.descriptor.get_wellknown_sds()
 use samdb calls only

We need this routine not to use the names context as this is tied to
provision, and we end up in a circular dependency if we use that in
dbcheck.

Andrew Bartlett
(cherry picked from commit a113ddbf881c5905bbf7072638c7ba8843eeb85e)
---
 python/samba/descriptor.py                   | 107 +++++++++++++++------------
 source4/scripting/bin/samba_upgradeprovision |   2 +-
 2 files changed, 59 insertions(+), 50 deletions(-)

diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py
index 9916a22..f9fb3c6 100644
--- a/python/samba/descriptor.py
+++ b/python/samba/descriptor.py
@@ -360,59 +360,68 @@ def get_dns_domain_microsoft_dns_descriptor(domain_sid, name_map={}):
     "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)"
     return sddl2binary(sddl, domain_sid, name_map)
 
-def get_wellknown_sds(names, samdb):
+def get_wellknown_sds(samdb):
 
     # Then subcontainers
     subcontainers = [
-        (ldb.Dn(samdb, "%s" % str(names.domaindn)), get_domain_descriptor),
-        (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.domaindn)), get_domain_delete_protected2_descriptor),
-        (ldb.Dn(samdb, "CN=System,%s" % str(names.domaindn)), get_domain_delete_protected1_descriptor),
-        (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.domaindn)), get_domain_infrastructure_descriptor),
-        (ldb.Dn(samdb, "CN=Builtin,%s" % str(names.domaindn)), get_domain_builtin_descriptor),
-        (ldb.Dn(samdb, "CN=Computers,%s" % str(names.domaindn)), get_domain_computers_descriptor),
-        (ldb.Dn(samdb, "CN=Users,%s" % str(names.domaindn)), get_domain_users_descriptor),
-        (ldb.Dn(samdb, "OU=Domain Controllers,%s" % str(names.domaindn)), get_domain_controllers_descriptor),
-        (ldb.Dn(samdb, "CN=MicrosoftDNS,CN=System,%s" % str(names.domaindn)), get_dns_domain_microsoft_dns_descriptor),
-
-        (ldb.Dn(samdb, "%s" % str(names.configdn)), get_config_descriptor),
-        (ldb.Dn(samdb, "CN=NTDS Quotas,%s" % str(names.configdn)), get_config_ntds_quotas_descriptor),
-        (ldb.Dn(samdb, "CN=LostAndFoundConfig,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor),
-        (ldb.Dn(samdb, "CN=Services,%s" % str(names.configdn)), get_config_delete_protected1_descriptor),
-        (ldb.Dn(samdb, "CN=Physical Locations,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor),
-        (ldb.Dn(samdb, "CN=WellKnown Security Principals,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor),
-        (ldb.Dn(samdb, "CN=ForestUpdates,%s" % str(names.configdn)), get_config_delete_protected1wd_descriptor),
-        (ldb.Dn(samdb, "CN=DisplaySpecifiers,%s" % str(names.configdn)), get_config_delete_protected2_descriptor),
-        (ldb.Dn(samdb, "CN=Extended-Rights,%s" % str(names.configdn)), get_config_delete_protected2_descriptor),
-        (ldb.Dn(samdb, "CN=Partitions,%s" % str(names.configdn)), get_config_partitions_descriptor),
-        (ldb.Dn(samdb, "CN=Sites,%s" % str(names.configdn)), get_config_sites_descriptor),
-
-        (ldb.Dn(samdb, "%s" % str(names.schemadn)), get_schema_descriptor),
+        (ldb.Dn(samdb, "%s" % str(samdb.domain_dn())), get_domain_descriptor),
+        (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(samdb.domain_dn())), get_domain_delete_protected2_descriptor),
+        (ldb.Dn(samdb, "CN=System,%s" % str(samdb.domain_dn())), get_domain_delete_protected1_descriptor),
+        (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(samdb.domain_dn())), get_domain_infrastructure_descriptor),
+        (ldb.Dn(samdb, "CN=Builtin,%s" % str(samdb.domain_dn())), get_domain_builtin_descriptor),
+        (ldb.Dn(samdb, "CN=Computers,%s" % str(samdb.domain_dn())), get_domain_computers_descriptor),
+        (ldb.Dn(samdb, "CN=Users,%s" % str(samdb.domain_dn())), get_domain_users_descriptor),
+        (ldb.Dn(samdb, "OU=Domain Controllers,%s" % str(samdb.domain_dn())), get_domain_controllers_descriptor),
+        (ldb.Dn(samdb, "CN=MicrosoftDNS,CN=System,%s" % str(samdb.domain_dn())), get_dns_domain_microsoft_dns_descriptor),
+
+        (ldb.Dn(samdb, "%s" % str(samdb.get_config_basedn())), get_config_descriptor),
+        (ldb.Dn(samdb, "CN=NTDS Quotas,%s" % str(samdb.get_config_basedn())), get_config_ntds_quotas_descriptor),
+        (ldb.Dn(samdb, "CN=LostAndFoundConfig,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1wd_descriptor),
+        (ldb.Dn(samdb, "CN=Services,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1_descriptor),
+        (ldb.Dn(samdb, "CN=Physical Locations,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1wd_descriptor),
+        (ldb.Dn(samdb, "CN=WellKnown Security Principals,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1wd_descriptor),
+        (ldb.Dn(samdb, "CN=ForestUpdates,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1wd_descriptor),
+        (ldb.Dn(samdb, "CN=DisplaySpecifiers,%s" % str(samdb.get_config_basedn())), get_config_delete_protected2_descriptor),
+        (ldb.Dn(samdb, "CN=Extended-Rights,%s" % str(samdb.get_config_basedn())), get_config_delete_protected2_descriptor),
+        (ldb.Dn(samdb, "CN=Partitions,%s" % str(samdb.get_config_basedn())), get_config_partitions_descriptor),
+        (ldb.Dn(samdb, "CN=Sites,%s" % str(samdb.get_config_basedn())), get_config_sites_descriptor),
+
+        (ldb.Dn(samdb, "%s" % str(samdb.get_schema_basedn())), get_schema_descriptor),
     ]
 
-    if names.dnsforestdn is not None:
-        c = (ldb.Dn(samdb, "%s" % str(names.dnsforestdn)), get_dns_partition_descriptor)
-        subcontainers.append(c)
-        c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.dnsforestdn)),
-             get_domain_delete_protected1_descriptor)
-        subcontainers.append(c)
-        c = (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.dnsforestdn)),
-             get_domain_delete_protected2_descriptor)
-        subcontainers.append(c)
-        c = (ldb.Dn(samdb, "CN=MicrosoftDNS,%s" % str(names.dnsforestdn)),
-             get_dns_forest_microsoft_dns_descriptor)
-        subcontainers.append(c)
-
-    if names.dnsdomaindn is not None:
-        c = (ldb.Dn(samdb, "%s" % str(names.dnsdomaindn)), get_dns_partition_descriptor)
-        subcontainers.append(c)
-        c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(names.dnsdomaindn)),
-             get_domain_delete_protected1_descriptor)
-        subcontainers.append(c)
-        c = (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(names.dnsdomaindn)),
-             get_domain_delete_protected2_descriptor)
-        subcontainers.append(c)
-        c = (ldb.Dn(samdb, "CN=MicrosoftDNS,%s" % str(names.dnsdomaindn)),
-             get_dns_domain_microsoft_dns_descriptor)
-        subcontainers.append(c)
+    current = samdb.search(expression="(objectClass=*)",
+                           base="", scope=ldb.SCOPE_BASE,
+                           attrs=["namingContexts"])
+
+    for nc in current[0]["namingContexts"]:
+
+        dnsforestdn = ldb.Dn(samdb, "DC=ForestDnsZones,%s" % (str(samdb.get_root_basedn())))
+        if ldb.Dn(samdb, nc) == dnsforestdn:
+            c = (ldb.Dn(samdb, "%s" % str(dnsforestdn)), get_dns_partition_descriptor)
+            subcontainers.append(c)
+            c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsforestdn)),
+                 get_domain_delete_protected1_descriptor)
+            subcontainers.append(c)
+            c = (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(dnsforestdn)),
+                 get_domain_delete_protected2_descriptor)
+            subcontainers.append(c)
+            c = (ldb.Dn(samdb, "CN=MicrosoftDNS,%s" % str(dnsforestdn)),
+                 get_dns_forest_microsoft_dns_descriptor)
+            subcontainers.append(c)
+            continue
+
+        dnsdomaindn = ldb.Dn(samdb, "DC=DomainDnsZones,%s" % (str(samdb.domain_dn())))
+        if ldb.Dn(samdb, nc) == dnsdomaindn:
+            c = (ldb.Dn(samdb, "%s" % str(dnsdomaindn)), get_dns_partition_descriptor)
+            subcontainers.append(c)
+            c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsdomaindn)),
+                 get_domain_delete_protected1_descriptor)
+            subcontainers.append(c)
+            c = (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(dnsdomaindn)),
+                 get_domain_delete_protected2_descriptor)
+            subcontainers.append(c)
+            c = (ldb.Dn(samdb, "CN=MicrosoftDNS,%s" % str(dnsdomaindn)),
+                 get_dns_domain_microsoft_dns_descriptor)
+            subcontainers.append(c)
 
     return subcontainers
diff --git a/source4/scripting/bin/samba_upgradeprovision b/source4/scripting/bin/samba_upgradeprovision
index c0ce040..92d5773 100755
--- a/source4/scripting/bin/samba_upgradeprovision
+++ b/source4/scripting/bin/samba_upgradeprovision
@@ -1211,7 +1211,7 @@ def fix_wellknown_sd(samdb, names):
 
     list_wellknown_dns = []
 
-    subcontainers = get_wellknown_sds(names, samdb)
+    subcontainers = get_wellknown_sds(samdb)
 
     for [dn, descriptor_fn] in subcontainers:
         list_wellknown_dns.append(dn)
-- 
1.7.11.7


From 956eb90fa46ec43590e9fbf843b5753dc6f18f64 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 22 Mar 2013 16:19:27 +1100
Subject: [PATCH 06/12] scripting: Move get_diff_sds from samba.upgradehelpers
 to samba.descriptor

This helps avoid a dependency loop when we use get_diff_sds in dbcheck.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 9040e2684161ce75738e9da0fee191aa34858607)
---
 python/samba/descriptor.py                   | 154 +++++++++++++++++++++++++++
 python/samba/tests/upgradeprovision.py       |   4 +-
 python/samba/upgradehelpers.py               | 153 --------------------------
 source4/scripting/bin/samba_upgradeprovision |   4 +-
 4 files changed, 158 insertions(+), 157 deletions(-)

diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py
index f9fb3c6..4137bc3 100644
--- a/python/samba/descriptor.py
+++ b/python/samba/descriptor.py
@@ -30,6 +30,7 @@ from samba.dcerpc import security
 from samba.ndr import ndr_pack
 from samba.schema import get_schema_descriptor
 import ldb
+import re
 
 # Descriptors of naming contexts and other important objects
 
@@ -425,3 +426,156 @@ def get_wellknown_sds(samdb):
             subcontainers.append(c)
 
     return subcontainers
+
+
+def chunck_acl(acl):
+    """Return separate ACE of an ACL
+
+    :param acl: A string representing the ACL
+    :return: A hash with different parts
+    """
+
+    p = re.compile(r'(\w+)?(\(.*?\))')
+    tab = p.findall(acl)
+
+    hash = {}
+    hash["aces"] = []
+    for e in tab:
+        if len(e[0]) > 0:
+            hash["flags"] = e[0]
+        hash["aces"].append(e[1])
+
+    return hash
+
+
+def chunck_sddl(sddl):
+    """ Return separate parts of the SDDL (owner, group, ...)
+
+    :param sddl: An string containing the SDDL to chunk
+    :return: A hash with the different chunk
+    """
+
+    p = re.compile(r'([OGDS]:)(.*?)(?=(?:[GDS]:|$))')
+    tab = p.findall(sddl)
+
+    hash = {}
+    for e in tab:
+        if e[0] == "O:":
+            hash["owner"] = e[1]
+        if e[0] == "G:":
+            hash["group"] = e[1]
+        if e[0] == "D:":
+            hash["dacl"] = e[1]
+        if e[0] == "S:":
+            hash["sacl"] = e[1]
+
+    return hash
+
+
+def get_clean_sd(sd):
+    """Get the SD without any inherited ACEs
+
+    :param sd: SD to strip
+    :return: An SD with inherited ACEs stripped
+    """
+
+    sd_clean = security.descriptor()
+    sd_clean.owner_sid = sd.owner_sid
+    sd_clean.group_sid = sd.group_sid
+    sd_clean.type = sd.type
+    sd_clean.revision = sd.revision
+
+    aces = []
+    if sd.sacl is not None:
+        aces = sd.sacl.aces
+    for i in range(0, len(aces)):
+        ace = aces[i]
+
+        if not ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE:
+            sd_clean.sacl_add(ace)
+            continue
+
+    aces = []
+    if sd.dacl is not None:
+        aces = sd.dacl.aces
+    for i in range(0, len(aces)):
+        ace = aces[i]
+
+        if not ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE:
+            sd_clean.dacl_add(ace)
+            continue
+    return sd_clean
+
+
+def get_diff_sds(refsd, cursd, domainsid, checkSacl = True):
+    """Get the difference between 2 sd
+
+    This function split the textual representation of ACL into smaller
+    chunck in order to not to report a simple permutation as a difference
+
+    :param refsddl: First sddl to compare
+    :param cursddl: Second sddl to compare
+    :param checkSacl: If false we skip the sacl checks
+    :return: A string that explain difference between sddls
+    """
+
+    cursddl = get_clean_sd(cursd).as_sddl(domainsid)
+    refsddl = get_clean_sd(refsd).as_sddl(domainsid)
+
+    txt = ""
+    hash_cur = chunck_sddl(cursddl)
+    hash_ref = chunck_sddl(refsddl)
+
+    if not hash_cur.has_key("owner"):
+        txt = "\tNo owner in current SD"
+    elif hash_cur["owner"] != hash_ref["owner"]:
+        txt = "\tOwner mismatch: %s (in ref) %s" \
+              "(in current)\n" % (hash_ref["owner"], hash_cur["owner"])
+
+    if not hash_cur.has_key("group"):
+        txt = "%s\tNo group in current SD" % txt
+    elif hash_cur["group"] != hash_ref["group"]:
+        txt = "%s\tGroup mismatch: %s (in ref) %s" \
+              "(in current)\n" % (txt, hash_ref["group"], hash_cur["group"])
+
+    parts = [ "dacl" ]
+    if checkSacl:
+        parts.append("sacl")
+    for part in parts:
+        if hash_cur.has_key(part) and hash_ref.has_key(part):
+
+            # both are present, check if they contain the same ACE
+            h_cur = set()
+            h_ref = set()
+            c_cur = chunck_acl(hash_cur[part])
+            c_ref = chunck_acl(hash_ref[part])
+
+            for elem in c_cur["aces"]:
+                h_cur.add(elem)
+
+            for elem in c_ref["aces"]:
+                h_ref.add(elem)
+
+            for k in set(h_ref):
+                if k in h_cur:
+                    h_cur.remove(k)
+                    h_ref.remove(k)
+
+            if len(h_cur) + len(h_ref) > 0:
+                txt = "%s\tPart %s is different between reference" \
+                      " and current here is the detail:\n" % (txt, part)
+
+                for item in h_cur:
+                    txt = "%s\t\t%s ACE is not present in the" \
+                          " reference\n" % (txt, item)
+
+                for item in h_ref:
+                    txt = "%s\t\t%s ACE is not present in the" \
+                          " current\n" % (txt, item)
+
+        elif hash_cur.has_key(part) and not hash_ref.has_key(part):
+            txt = "%s\tReference ACL hasn't a %s part\n" % (txt, part)
+        elif not hash_cur.has_key(part) and hash_ref.has_key(part):
+            txt = "%s\tCurrent ACL hasn't a %s part\n" % (txt, part)
+
+    return txt
diff --git a/python/samba/tests/upgradeprovision.py b/python/samba/tests/upgradeprovision.py
index 4c80bf8..e4da593 100644
--- a/python/samba/tests/upgradeprovision.py
+++ b/python/samba/tests/upgradeprovision.py
@@ -19,9 +19,9 @@
 
 import os
 from samba.upgradehelpers import (usn_in_range, dn_sort,
-                                  get_diff_sds, update_secrets,
+                                  update_secrets,
                                   construct_existor_expr)
-
+from samba.descriptor import get_diff_sds
 from samba.tests.provision import create_dummy_secretsdb
 from samba.tests import TestCaseInTempDir
 from samba import Ldb
diff --git a/python/samba/upgradehelpers.py b/python/samba/upgradehelpers.py
index 13a3691..04f1e82 100644
--- a/python/samba/upgradehelpers.py
+++ b/python/samba/upgradehelpers.py
@@ -302,159 +302,6 @@ def identic_rename(ldbobj, dn):
     ldbobj.rename(ldb.Dn(ldbobj, "%s=foo%s" % (before, after)), dn, ["relax:0"])
 
 
-def chunck_acl(acl):
-    """Return separate ACE of an ACL
-
-    :param acl: A string representing the ACL
-    :return: A hash with different parts
-    """
-
-    p = re.compile(r'(\w+)?(\(.*?\))')
-    tab = p.findall(acl)
-
-    hash = {}
-    hash["aces"] = []
-    for e in tab:
-        if len(e[0]) > 0:
-            hash["flags"] = e[0]
-        hash["aces"].append(e[1])
-
-    return hash
-
-
-def chunck_sddl(sddl):
-    """ Return separate parts of the SDDL (owner, group, ...)
-
-    :param sddl: An string containing the SDDL to chunk
-    :return: A hash with the different chunk
-    """
-
-    p = re.compile(r'([OGDS]:)(.*?)(?=(?:[GDS]:|$))')
-    tab = p.findall(sddl)
-
-    hash = {}
-    for e in tab:
-        if e[0] == "O:":
-            hash["owner"] = e[1]
-        if e[0] == "G:":
-            hash["group"] = e[1]
-        if e[0] == "D:":
-            hash["dacl"] = e[1]
-        if e[0] == "S:":
-            hash["sacl"] = e[1]
-
-    return hash
-
-
-def get_clean_sd(sd):
-    """Get the SD without any inherited ACEs
-
-    :param sd: SD to strip
-    :return: An SD with inherited ACEs stripped
-    """
-
-    sd_clean = security.descriptor()
-    sd_clean.owner_sid = sd.owner_sid
-    sd_clean.group_sid = sd.group_sid
-    sd_clean.type = sd.type
-    sd_clean.revision = sd.revision
-
-    aces = []
-    if sd.sacl is not None:
-        aces = sd.sacl.aces
-    for i in range(0, len(aces)):
-        ace = aces[i]
-
-        if not ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE:
-            sd_clean.sacl_add(ace)
-            continue
-
-    aces = []
-    if sd.dacl is not None:
-        aces = sd.dacl.aces
-    for i in range(0, len(aces)):
-        ace = aces[i]
-
-        if not ace.flags & security.SEC_ACE_FLAG_INHERITED_ACE:
-            sd_clean.dacl_add(ace)
-            continue
-    return sd_clean
-
-
-def get_diff_sds(refsd, cursd, domainsid, checkSacl = True):
-    """Get the difference between 2 sd
-
-    This function split the textual representation of ACL into smaller
-    chunck in order to not to report a simple permutation as a difference
-
-    :param refsddl: First sddl to compare
-    :param cursddl: Second sddl to compare
-    :param checkSacl: If false we skip the sacl checks
-    :return: A string that explain difference between sddls
-    """
-
-    cursddl = get_clean_sd(cursd).as_sddl(domainsid)
-    refsddl = get_clean_sd(refsd).as_sddl(domainsid)
-
-    txt = ""
-    hash_cur = chunck_sddl(cursddl)
-    hash_ref = chunck_sddl(refsddl)
-
-    if not hash_cur.has_key("owner"):
-        txt = "\tNo owner in current SD"
-    elif hash_cur["owner"] != hash_ref["owner"]:
-        txt = "\tOwner mismatch: %s (in ref) %s" \
-              "(in current)\n" % (hash_ref["owner"], hash_cur["owner"])
-
-    if not hash_cur.has_key("group"):
-        txt = "%s\tNo group in current SD" % txt
-    elif hash_cur["group"] != hash_ref["group"]:
-        txt = "%s\tGroup mismatch: %s (in ref) %s" \
-              "(in current)\n" % (txt, hash_ref["group"], hash_cur["group"])
-
-    parts = [ "dacl" ]
-    if checkSacl:
-        parts.append("sacl")
-    for part in parts:
-        if hash_cur.has_key(part) and hash_ref.has_key(part):
-
-            # both are present, check if they contain the same ACE
-            h_cur = set()
-            h_ref = set()
-            c_cur = chunck_acl(hash_cur[part])
-            c_ref = chunck_acl(hash_ref[part])
-
-            for elem in c_cur["aces"]:
-                h_cur.add(elem)
-
-            for elem in c_ref["aces"]:
-                h_ref.add(elem)
-
-            for k in set(h_ref):
-                if k in h_cur:
-                    h_cur.remove(k)
-                    h_ref.remove(k)
-
-            if len(h_cur) + len(h_ref) > 0:
-                txt = "%s\tPart %s is different between reference" \
-                      " and current here is the detail:\n" % (txt, part)
-
-                for item in h_cur:
-                    txt = "%s\t\t%s ACE is not present in the" \
-                          " reference\n" % (txt, item)
-
-                for item in h_ref:
-                    txt = "%s\t\t%s ACE is not present in the" \
-                          " current\n" % (txt, item)
-
-        elif hash_cur.has_key(part) and not hash_ref.has_key(part):
-            txt = "%s\tReference ACL hasn't a %s part\n" % (txt, part)
-        elif not hash_cur.has_key(part) and hash_ref.has_key(part):
-            txt = "%s\tCurrent ACL hasn't a %s part\n" % (txt, part)
-
-    return txt
-
-
 def update_secrets(newsecrets_ldb, secrets_ldb, messagefunc):
     """Update secrets.ldb
 
diff --git a/source4/scripting/bin/samba_upgradeprovision b/source4/scripting/bin/samba_upgradeprovision
index 92d5773..88e0206 100755
--- a/source4/scripting/bin/samba_upgradeprovision
+++ b/source4/scripting/bin/samba_upgradeprovision
@@ -46,7 +46,7 @@ from ldb import (SCOPE_SUBTREE, SCOPE_BASE,
                 MessageElement, Message, Dn, LdbError)
 from samba import param, dsdb, Ldb
 from samba.common import confirm
-from samba.descriptor import get_wellknown_sds, get_empty_descriptor
+from samba.descriptor import get_wellknown_sds, get_empty_descriptor, get_diff_sds
 from samba.provision import (find_provision_key_parameters,
                             ProvisioningError, get_last_provision_usn,
                             get_max_usn, update_provision_usn, setup_path)
@@ -57,7 +57,7 @@ from samba.dcerpc.security import (
 from samba.ndr import ndr_unpack
 from samba.upgradehelpers import (dn_sort, get_paths, newprovision,
                                  get_ldbs, findprovisionrange,
-                                 usn_in_range, identic_rename, get_diff_sds,
+                                 usn_in_range, identic_rename,
                                  update_secrets, CHANGE, ERROR, SIMPLE,
                                  CHANGEALL, GUESS, CHANGESD, PROVISION,
                                  updateOEMInfo, getOEMInfo, update_gpo,
-- 
1.7.11.7


From cff823818707e9cf26b6f7bbf535c1ad1368b58a Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 11 Feb 2013 14:49:01 +1100
Subject: [PATCH 07/12] samba-tool dbcheck: Add --reset-well-known-acls

This will allow an upgrade from Samba 4.0.0 without needing to run
samba_upgradeprovision, which for now is not the preferred upgrade
tool.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 810f8b48d925ea15f3439c4b228741d8fddaccd8)
---
 python/samba/dbchecker.py      | 68 ++++++++++++++++++++++++++++++++++++++++--
 python/samba/netcmd/dbcheck.py |  7 +++--
 2 files changed, 71 insertions(+), 4 deletions(-)

diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index fd42a78..39a2b4f 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -25,13 +25,15 @@ from samba.ndr import ndr_unpack, ndr_pack
 from samba.dcerpc import drsblobs
 from samba.common import dsdb_Dn
 from samba.dcerpc import security
+from samba.descriptor import get_wellknown_sds, get_diff_sds
 
 
 class dbcheck(object):
     """check a SAM database for errors"""
 
     def __init__(self, samdb, samdb_schema=None, verbose=False, fix=False,
-                 yes=False, quiet=False, in_transaction=False):
+                 yes=False, quiet=False, in_transaction=False,
+                 reset_well_known_acls=False):
         self.samdb = samdb
         self.dict_oid_name = None
         self.samdb_schema = (samdb_schema or samdb)
@@ -55,6 +57,8 @@ class dbcheck(object):
         self.seize_fsmo_role = False
         self.move_to_lost_and_found = False
         self.fix_instancetype = False
+        self.reset_well_known_acls = reset_well_known_acls
+        self.reset_all_well_known_acls = False
         self.in_transaction = in_transaction
         self.infrastructure_dn = ldb.Dn(samdb, "CN=Infrastructure," + samdb.domain_dn())
         self.naming_dn = ldb.Dn(samdb, "CN=Partitions,%s" % samdb.get_config_basedn())
@@ -62,6 +66,18 @@ class dbcheck(object):
         self.rid_dn = ldb.Dn(samdb, "CN=RID Manager$,CN=System," + samdb.domain_dn())
         self.ntds_dsa = ldb.Dn(samdb, samdb.get_dsServiceName())
         self.class_schemaIDGUID = {}
+        self.wellknown_sds = get_wellknown_sds(self.samdb)
+
+        self.name_map = {}
+        try:
+            res = samdb.search(base="CN=DnsAdmins,CN=Users,%s" % samdb.domain_dn(), scope=ldb.SCOPE_BASE,
+                           attrs=["objectSid"])
+            dnsadmins_sid = ndr_unpack(security.dom_sid, res[0]["objectSid"][0])
+            self.name_map['DnsAdmins'] = str(dnsadmins_sid)
+        except ldb.LdbError, (enum, estr):
+            if enum != ldb.ERR_NO_SUCH_OBJECT:
+                raise
+            pass
 
         res = self.samdb.search(base=self.ntds_dsa, scope=ldb.SCOPE_BASE, attrs=['msDS-hasMasterNCs', 'hasMasterNCs'])
         if "msDS-hasMasterNCs" in res[0]:
@@ -739,7 +755,29 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
         nmsg.dn = dn
         nmsg[sd_attr] = ldb.MessageElement(sd_val, ldb.FLAG_MOD_REPLACE, sd_attr)
         if self.do_modify(nmsg, ["sd_flags:1:%d" % sd_flags],
-                          "Failed to fix metadata for attribute %s" % sd_attr):
+                          "Failed to fix attribute %s" % sd_attr):
+            self.report("Fixed attribute '%s' of '%s'\n" % (sd_attr, dn))
+
+    def err_wrong_default_sd(self, dn, sd, sd_old, diff):
+        '''re-write the SD due to not matching the default (optional mode for fixing an incorrect provision)'''
+        sd_attr = "nTSecurityDescriptor"
+        sd_val = ndr_pack(sd)
+        sd_old_val = ndr_pack(sd_old)
+        sd_flags = security.SECINFO_DACL | security.SECINFO_SACL
+        if sd.owner_sid is not None:
+            sd_flags |= security.SECINFO_OWNER
+        if sd.group_sid is not None:
+            sd_flags |= security.SECINFO_GROUP
+
+        if not self.confirm_all('Reset %s on %s back to provision default?\n%s' % (sd_attr, dn, diff), 'reset_all_well_known_acls'):
+            self.report('Not resetting %s on %s\n' % (sd_attr, dn))
+            return
+
+        m = ldb.Message()
+        m.dn = dn
+        m[sd_attr] = ldb.MessageElement(sd_val, ldb.FLAG_MOD_REPLACE, sd_attr)
+        if self.do_modify(m, ["sd_flags:1:%d" % sd_flags],
+                          "Failed to reset attribute %s" % sd_attr):
             self.report("Fixed attribute '%s' of '%s'\n" % (sd_attr, dn))
 
     def is_fsmo_role(self, dn):
@@ -774,6 +812,16 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
 
         return instancetype
 
+    def get_wellknown_sd(self, dn):
+        for [sd_dn, descriptor_fn] in self.wellknown_sds:
+            if dn == sd_dn:
+                domain_sid = security.dom_sid(self.samdb.get_domain_sid())
+                return ndr_unpack(security.descriptor,
+                                  descriptor_fn(domain_sid,
+                                                name_map=self.name_map))
+
+        raise KeyError
+
     def check_object(self, dn, attrs=['*']):
         '''check one object'''
         if self.verbose:
@@ -826,6 +874,22 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
                 if sd_broken is not None:
                     self.err_wrong_sd(dn, sd, sd_broken)
                     error_count += 1
+                    continue
+
+                if self.reset_well_known_acls:
+                    try:
+                        well_known_sd = self.get_wellknown_sd(dn)
+                    except KeyError:
+                        continue
+
+                    current_sd = ndr_unpack(security.descriptor,
+                                            str(obj[attrname][0]))
+
+                    diff = get_diff_sds(well_known_sd, current_sd, security.dom_sid(self.samdb.get_domain_sid()))
+                    if diff != "":
+                        self.err_wrong_default_sd(dn, well_known_sd, current_sd, diff)
+                        error_count += 1
+                        continue
                 continue
 
             if str(attrname).lower() == 'objectclass':
diff --git a/python/samba/netcmd/dbcheck.py b/python/samba/netcmd/dbcheck.py
index 889b0ff..4cc0631 100644
--- a/python/samba/netcmd/dbcheck.py
+++ b/python/samba/netcmd/dbcheck.py
@@ -56,6 +56,7 @@ class cmd_dbcheck(Command):
         Option("--attrs", dest="attrs", default=None, help="list of attributes to check (space separated)"),
         Option("--reindex", dest="reindex", default=False, action="store_true", help="force database re-index"),
         Option("--force-modules", dest="force_modules", default=False, action="store_true", help="force loading of Samba modules and ignore the @MODULES record (for very old databases)"),
+        Option("--reset-well-known-acls", dest="reset_well_known_acls", default=False, action="store_true", help="reset ACLs on objects with well known default ACL values to the default"),
         Option("-H", "--URL", help="LDB URL for database or target server (defaults to local SAM database)",
                type=str, metavar="URL", dest="H"),
         ]
@@ -63,7 +64,8 @@ class cmd_dbcheck(Command):
     def run(self, DN=None, H=None, verbose=False, fix=False, yes=False,
             cross_ncs=False, quiet=False,
             scope="SUB", credopts=None, sambaopts=None, versionopts=None,
-            attrs=None, reindex=False, force_modules=False):
+            attrs=None, reindex=False, force_modules=False,
+            reset_well_known_acls=False):
 
         lp = sambaopts.get_loadparm()
 
@@ -114,7 +116,8 @@ class cmd_dbcheck(Command):
             started_transaction = True
         try:
             chk = dbcheck(samdb, samdb_schema=samdb_schema, verbose=verbose,
-                          fix=fix, yes=yes, quiet=quiet, in_transaction=started_transaction)
+                          fix=fix, yes=yes, quiet=quiet, in_transaction=started_transaction,
+                          reset_well_known_acls=reset_well_known_acls)
 
             if reindex:
                 self.outf.write("Re-indexing...\n")
-- 
1.7.11.7


From 54b9959d148cb4c47a72320d0b740f3dfdd6bc4a Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 11 Feb 2013 14:49:01 +1100
Subject: [PATCH 08/12] samba-tool dbcheck: Allow dbcheck to correct an
 nTSecurityDescriptor without an owner or group

This is done by making a modification to the SD, which triggers it to be
filled in if we have the correct session_info established on the DB.

However, we normally want dbcheck running as system, so we wrap
the session_info set around this operation only.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 4789a3072a4241841c096115dbdb0c3259968e68)
---
 python/samba/dbchecker.py | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index 39a2b4f..d0d0ab3 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -26,6 +26,7 @@ from samba.dcerpc import drsblobs
 from samba.common import dsdb_Dn
 from samba.dcerpc import security
 from samba.descriptor import get_wellknown_sds, get_diff_sds
+from samba.auth import system_session, admin_session
 
 
 class dbcheck(object):
@@ -54,6 +55,7 @@ class dbcheck(object):
         self.fix_all_orphaned_backlinks = False
         self.fix_rmd_flags = False
         self.fix_ntsecuritydescriptor = False
+        self.fix_ntsecuritydescriptor_owner_group = False
         self.seize_fsmo_role = False
         self.move_to_lost_and_found = False
         self.fix_instancetype = False
@@ -79,6 +81,9 @@ class dbcheck(object):
                 raise
             pass
 
+        self.system_session_info = system_session()
+        self.admin_session_info = admin_session(None, samdb.get_domain_sid())
+
         res = self.samdb.search(base=self.ntds_dsa, scope=ldb.SCOPE_BASE, attrs=['msDS-hasMasterNCs', 'hasMasterNCs'])
         if "msDS-hasMasterNCs" in res[0]:
             self.write_ncs = res[0]["msDS-hasMasterNCs"]
@@ -780,6 +785,37 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
                           "Failed to reset attribute %s" % sd_attr):
             self.report("Fixed attribute '%s' of '%s'\n" % (sd_attr, dn))
 
+    def err_missing_sd_owner(self, dn, sd):
+        '''re-write the SD due to a missing owner or group'''
+        sd_attr = "nTSecurityDescriptor"
+        sd_val = ndr_pack(sd)
+        sd_flags = security.SECINFO_OWNER | security.SECINFO_GROUP
+
+        if not self.confirm_all('Fix missing owner or group in %s on %s?' % (sd_attr, dn), 'fix_ntsecuritydescriptor_owner_group'):
+            self.report('Not fixing missing owner or group %s on %s\n' % (sd_attr, dn))
+            return
+
+        nmsg = ldb.Message()
+        nmsg.dn = dn
+        nmsg[sd_attr] = ldb.MessageElement(sd_val, ldb.FLAG_MOD_REPLACE, sd_attr)
+
+        # By setting the session_info to admin_session_info and
+        # setting the security.SECINFO_OWNER | security.SECINFO_GROUP
+        # flags we cause the descriptor module to set the correct
+        # owner and group on the SD, replacing the None/NULL values
+        # for owner_sid and group_sid currently present.
+        #
+        # The admin_session_info matches that used in provision, and
+        # is the best guess we can make for an existing object that
+        # hasn't had something specifically set.
+        #
+        # This is important for the dns related naming contexts.
+        self.samdb.set_session_info(self.admin_session_info)
+        if self.do_modify(nmsg, ["sd_flags:1:%d" % sd_flags],
+                          "Failed to fix metadata for attribute %s" % sd_attr):
+            self.report("Fixed attribute '%s' of '%s'\n" % (sd_attr, dn))
+        self.samdb.set_session_info(self.system_session_info)
+
     def is_fsmo_role(self, dn):
         if dn == self.samdb.domain_dn:
             return True
@@ -876,6 +912,11 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
                     error_count += 1
                     continue
 
+                if sd.owner_sid is None or sd.group_sid is None:
+                    self.err_missing_sd_owner(dn, sd)
+                    error_count += 1
+                    continue
+
                 if self.reset_well_known_acls:
                     try:
                         well_known_sd = self.get_wellknown_sd(dn)
-- 
1.7.11.7


From d1116ab8c109a77468de4e68f456cce9b3b0cbbc Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 22 Mar 2013 22:16:03 +1100
Subject: [PATCH 09/12] scripting: Modify samba.descriptor.get_diff_sds() to
 cope with a missing reference owner

This allows the reference SD not to have an owner specified, and still
have the comparison with a database SD that does have an owner pass.
(And the same for owning group).

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 874a93bc1c437543474a6c574b0065b7b953ad38)
---
 python/samba/descriptor.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py
index 4137bc3..164b0bf 100644
--- a/python/samba/descriptor.py
+++ b/python/samba/descriptor.py
@@ -528,13 +528,13 @@ def get_diff_sds(refsd, cursd, domainsid, checkSacl = True):
 
     if not hash_cur.has_key("owner"):
         txt = "\tNo owner in current SD"
-    elif hash_cur["owner"] != hash_ref["owner"]:
+    elif hash_ref.has_key("owner") and hash_cur["owner"] != hash_ref["owner"]:
         txt = "\tOwner mismatch: %s (in ref) %s" \
               "(in current)\n" % (hash_ref["owner"], hash_cur["owner"])
 
     if not hash_cur.has_key("group"):
         txt = "%s\tNo group in current SD" % txt
-    elif hash_cur["group"] != hash_ref["group"]:
+    elif hash_ref.has_key("group") and hash_cur["group"] != hash_ref["group"]:
         txt = "%s\tGroup mismatch: %s (in ref) %s" \
               "(in current)\n" % (txt, hash_ref["group"], hash_cur["group"])
 
-- 
1.7.11.7


From 1bf1cfdec73bd93839af4cdd83fc39a834b71caf Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 22 Mar 2013 17:12:43 +1100
Subject: [PATCH 10/12] selftest: Add tests for samba-tool dbcheck
 --reset-well-known-acls

Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 1589e46d11f29551f3598876b62e29fcbad06580)
---
 selftest/knownfail                                |  1 +
 testprogs/blackbox/dbcheck-oldrelease.sh          | 64 +++++++++++++++++++++--
 testprogs/blackbox/dbcheck.sh                     |  6 +++
 testprogs/blackbox/upgradeprovision-oldrelease.sh | 10 ++++
 4 files changed, 78 insertions(+), 3 deletions(-)

diff --git a/selftest/knownfail b/selftest/knownfail
index 429f396..d455e34 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -163,6 +163,7 @@
 ^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_full_sd\(none\) # Due to something rewriting the NT ACL on DNS objects and not getting the DC ACL right
 ^samba4.blackbox.upgradeprovision.release-4-0-0.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects and not getting the DC ACL right
 ^samba4.blackbox.upgradeprovision.release-4-0-0.ldapcmp_full_sd\(none\) # Due to something rewriting the NT ACL on DNS objects and not getting the DC ACL right
+^samba4.blackbox.dbcheck.release-4-0-0.ldapcmp_sd\(none\) # We do not yet know how to reset the DC ACL with dbcheck
 ^samba3.smb2.create.gentest
 ^samba3.smb2.create.blob
 ^samba3.smb2.create.open
diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh
index 6032bbc..a06e025 100755
--- a/testprogs/blackbox/dbcheck-oldrelease.sh
+++ b/testprogs/blackbox/dbcheck-oldrelease.sh
@@ -25,16 +25,41 @@ undump() {
 }
 
 reindex() {
-       $BINDIR/samba-tool dbcheck --reindex -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
+       $PYTHON $BINDIR/samba-tool dbcheck --reindex -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
 }
 
 # This should 'fail', because it returns the number of modified records
 dbcheck() {
-       $BINDIR/samba-tool dbcheck --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
+       $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
 }
 # But having fixed it all up, this should pass
 dbcheck_clean() {
-       $BINDIR/samba-tool dbcheck --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
+       $PYTHON $BINDIR/samba-tool dbcheck --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
+}
+
+# This should 'fail', because it returns the number of modified records
+dbcheck_acl_reset() {
+       $PYTHON $BINDIR/samba-tool dbcheck --reset-well-known-acls --cross-ncs --fix --yes -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
+}
+# But having fixed it all up, this should pass
+dbcheck_acl_reset_clean() {
+       $PYTHON $BINDIR/samba-tool dbcheck --reset-well-known-acls --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb $@
+}
+
+referenceprovision() {
+        $PYTHON $BINDIR/samba-tool domain provision --server-role="dc" --domain=SAMBA --host-name=ares --realm=${RELEASE}.samba.corp --targetdir=$PREFIX_ABS/${RELEASE}_reference --use-ntvfs --host-ip=127.0.0.1 --host-ip6=::1
+}
+
+ldapcmp() {
+    if [ x$RELEASE != x"alpha13" ]; then
+         $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord
+    fi
+}
+
+ldapcmp_sd() {
+    if [ x$RELEASE != x"alpha13" ]; then
+        $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --sd --skip-missing-dn
+    fi
 }
 
 if [ -d $release_dir ]; then
@@ -42,6 +67,11 @@ if [ -d $release_dir ]; then
     testit "reindex" reindex
     testit_expect_failure "dbcheck" dbcheck
     testit "dbcheck_clean" dbcheck_clean
+    testit_expect_failure "dbcheck_acl_reset" dbcheck_acl_reset
+    testit "dbcheck_acl_reset_clean" dbcheck_acl_reset_clean
+    testit "referenceprovision" referenceprovision
+    testit "ldapcmp" ldapcmp
+    testit "ldapcmp_sd" ldapcmp_sd
 else
     subunit_start_test $RELEASE
     subunit_skip_test $RELEASE <<EOF
@@ -60,6 +90,34 @@ EOF
     subunit_skip_test "dbcheck_clean" <<EOF
 no test provision
 EOF
+    subunit_start_test "dbcheck_acl_reset"
+    subunit_skip_test "dbcheck_acl_reset" <<EOF
+no test provision
+EOF
+    subunit_start_test "dbcheck_clean_acl_reset"
+    subunit_skip_test "dbcheck_clean_acl_reset" <<EOF
+no test provision
+EOF
+    subunit_start_test "referenceprovision"
+    subunit_skip_test "referenceprovision" <<EOF
+no test provision
+EOF
+    subunit_start_test "ldapcmp"
+    subunit_skip_test "ldapcmp" <<EOF
+no test provision
+EOF
+    subunit_start_test "ldapcmp_sd"
+    subunit_skip_test "ldapcmp_sd" <<EOF
+no test provision
+EOF
+fi
+
+if [ -d $PREFIX_ABS/${RELEASE} ]; then
+  rm -fr $PREFIX_ABS/${RELEASE}
+fi
+
+if [ -d $PREFIX_ABS/${RELEASE}_reference ]; then
+  rm -fr $PREFIX_ABS/${RELEASE}_reference
 fi
 
 exit $failed
diff --git a/testprogs/blackbox/dbcheck.sh b/testprogs/blackbox/dbcheck.sh
index faf6fab..c1e8aaf 100755
--- a/testprogs/blackbox/dbcheck.sh
+++ b/testprogs/blackbox/dbcheck.sh
@@ -16,6 +16,12 @@ dbcheck() {
 	$BINDIR/samba-tool dbcheck --cross-ncs $@
 }
 
+# This test shows that this does not do anything to a current
+# provision (that would be a bug)
+dbcheck_reset_well_known_acls() {
+	$BINDIR/samba-tool dbcheck --cross-ncs --reset-well-known-acls $@
+}
+
 reindex() {
 	$BINDIR/samba-tool dbcheck --reindex
 }
diff --git a/testprogs/blackbox/upgradeprovision-oldrelease.sh b/testprogs/blackbox/upgradeprovision-oldrelease.sh
index 105483d..d12c2cf 100755
--- a/testprogs/blackbox/upgradeprovision-oldrelease.sh
+++ b/testprogs/blackbox/upgradeprovision-oldrelease.sh
@@ -68,6 +68,11 @@ dbcheck_full_clean() {
        $BINDIR/samba-tool dbcheck --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb $@
 }
 
+# This checks that after the upgrade, the well known ACLs are correct, so this reset should not want to do anything
+dbcheck_full_clean_well_known_acls() {
+       $BINDIR/samba-tool dbcheck --reset-well-known-acls --cross-ncs -H tdb://$PREFIX_ABS/${RELEASE}_upgrade_full/private/sam.ldb $@
+}
+
 upgradeprovision() {
 	$PYTHON $BINDIR/samba_upgradeprovision -s "$PREFIX_ABS/${RELEASE}_upgrade/etc/smb.conf" --debugchange
 }
@@ -124,6 +129,7 @@ if [ -d $release_dir ]; then
     testit_expect_failure "dbcheck_full" dbcheck_full
     testit "dbcheck_clean" dbcheck_clean
     testit "dbcheck_full_clean" dbcheck_full_clean
+    testit "dbcheck_full_clean_well_known_acls" dbcheck_full_clean_well_known_acls
     testit "referenceprovision" referenceprovision
     testit "samba_upgradedns" samba_upgradedns
     testit "ldapcmp" ldapcmp
@@ -171,6 +177,10 @@ EOF
     subunit_skip_test "dbcheck_full_clean" <<EOF
 no test provision
 EOF
+    subunit_start_test "dbcheck_full_clean_well_known_acls"
+    subunit_skip_test "dbcheck_full_clean_well_known_acls" <<EOF
+no test provision
+EOF
     subunit_start_test "samba_dnsupgrade"
     subunit_skip_test "samba_dnsupgrade" <<EOF
 no test provision
-- 
1.7.11.7


From 1fb5331c9f0cd030d63d47af0327f3958f7f0ef5 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 22 Mar 2013 21:36:49 +1100
Subject: [PATCH 11/12] samba-tool ldapcmp: Remove the GUID -> name mappings

These mappings are very convenient, however because they are not
one-to-one, they lead to differences being reported when none exist,
dependent only on the order the schema searches return results in.

Sadly the time saved by the names is offset by the time wasted chasing
the 'differences' that don't exist.

This in turn fixes some tests that were previously knownfail

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5d42260eecfd4f26cc82637ce1bc989083c9eb9d)
---
 python/samba/netcmd/ldapcmp.py | 47 ++++--------------------------------------
 selftest/knownfail             |  8 +++----
 2 files changed, 7 insertions(+), 48 deletions(-)

diff --git a/python/samba/netcmd/ldapcmp.py b/python/samba/netcmd/ldapcmp.py
index 6e025a2..7bd118e 100644
--- a/python/samba/netcmd/ldapcmp.py
+++ b/python/samba/netcmd/ldapcmp.py
@@ -80,7 +80,6 @@ class LDAPBase(object):
         self.server_names = self.find_servers()
         self.domain_name = re.sub("[Dd][Cc]=", "", self.base_dn).replace(",", ".")
         self.domain_sid = self.find_domain_sid()
-        self.get_guid_map()
         self.get_sid_map()
         #
         # Log some domain controller specific place-holers that are being used
@@ -250,20 +249,6 @@ class LDAPBase(object):
         assert index == len(blob)
         return res.strip().replace(" ", "-")
 
-    def get_guid_map(self):
-        """ Build dictionary that maps GUID to 'name' attribute found in Schema or Extended-Rights.
-        """
-        self.guid_map = {}
-        res = self.ldb.search(base=self.schema_dn,
-                              expression="(schemaIdGuid=*)", scope=SCOPE_SUBTREE, attrs=["schemaIdGuid", "name"])
-        for item in res:
-            self.guid_map[self.guid_as_string(item["schemaIdGuid"]).lower()] = item["name"][0]
-        #
-        res = self.ldb.search(base="cn=extended-rights,%s" % self.config_dn,
-                              expression="(rightsGuid=*)", scope=SCOPE_SUBTREE, attrs=["rightsGuid", "name"])
-        for item in res:
-            self.guid_map[str(item["rightsGuid"]).lower()] = item["name"][0]
-
     def get_sid_map(self):
         """ Build dictionary that maps GUID to 'name' attribute found in Schema or Extended-Rights.
         """
@@ -299,22 +284,6 @@ class Descriptor(object):
             return []
         return re.findall("(\(.*?\))", res)
 
-    def fix_guid(self, ace):
-        res = "%s" % ace
-        guids = re.findall("[a-z0-9]+?-[a-z0-9]+-[a-z0-9]+-[a-z0-9]+-[a-z0-9]+", res)
-        # If there are not GUIDs to replace return the same ACE
-        if len(guids) == 0:
-            return res
-        for guid in guids:
-            try:
-                name = self.con.guid_map[guid.lower()]
-                res = res.replace(guid, name)
-            except KeyError:
-                # Do not bother if the GUID is not found in
-                # cn=Schema or cn=Extended-Rights
-                pass
-        return res
-
     def fix_sid(self, ace):
         res = "%s" % ace
         sids = re.findall("S-[-0-9]+", res)
@@ -330,14 +299,6 @@ class Descriptor(object):
                 pass
         return res
 
-    def fixit(self, ace):
-        """ Combine all replacement methods in one
-        """
-        res = "%s" % ace
-        res = self.fix_guid(res)
-        res = self.fix_sid(res)
-        return res
-
     def diff_1(self, other):
         res = ""
         if len(self.dacl_list) != len(other.dacl_list):
@@ -361,8 +322,8 @@ class Descriptor(object):
                 other_ace = ""
             if len(self_ace) + len(other_ace) == 0:
                 break
-            self_ace_fixed = "%s" % self.fixit(self_ace)
-            other_ace_fixed = "%s" % other.fixit(other_ace)
+            self_ace_fixed = "%s" % self.fix_sid(self_ace)
+            other_ace_fixed = "%s" % other.fix_sid(other_ace)
             if self_ace_fixed != other_ace_fixed:
                 res += "%60s * %s\n" % ( self_ace_fixed, other_ace_fixed )
                 flag = False
@@ -383,8 +344,8 @@ class Descriptor(object):
         other_aces = []
         self_dacl_list_fixed = []
         other_dacl_list_fixed = []
-        [self_dacl_list_fixed.append( self.fixit(ace) ) for ace in self.dacl_list]
-        [other_dacl_list_fixed.append( other.fixit(ace) ) for ace in other.dacl_list]
+        [self_dacl_list_fixed.append( self.fix_sid(ace) ) for ace in self.dacl_list]
+        [other_dacl_list_fixed.append( other.fix_sid(ace) ) for ace in other.dacl_list]
         for ace in self_dacl_list_fixed:
             try:
                 other_dacl_list_fixed.index(ace)
diff --git a/selftest/knownfail b/selftest/knownfail
index d455e34..ecb1934 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -159,11 +159,9 @@
 ^samba4.rpc.lsa.forest.trust #Not fully provided by Samba4
 ^samba4.blackbox.kinit\(.*\).kinit with user password for expired password\(.*\) # We need to work out why this fails only during the pw change
 ^samba4.blackbox.dbcheck\(vampire_dc\).dbcheck\(vampire_dc:local\) # Due to replicating with --domain-critical-only we fail dbcheck on this database
-^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects and not getting the DC ACL right
-^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_full_sd\(none\) # Due to something rewriting the NT ACL on DNS objects and not getting the DC ACL right
-^samba4.blackbox.upgradeprovision.release-4-0-0.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects and not getting the DC ACL right
-^samba4.blackbox.upgradeprovision.release-4-0-0.ldapcmp_full_sd\(none\) # Due to something rewriting the NT ACL on DNS objects and not getting the DC ACL right
-^samba4.blackbox.dbcheck.release-4-0-0.ldapcmp_sd\(none\) # We do not yet know how to reset the DC ACL with dbcheck
+^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects
+^samba4.blackbox.upgradeprovision.alpha13.ldapcmp_full_sd\(none\) # Due to something rewriting the NT ACL on DNS objects
+^samba4.blackbox.upgradeprovision.release-4-0-0.ldapcmp_sd\(none\) # Due to something rewriting the NT ACL on DNS objects
 ^samba3.smb2.create.gentest
 ^samba3.smb2.create.blob
 ^samba3.smb2.create.open
-- 
1.7.11.7


From c7c275cc1dd9e3f160697ae1ce09e49e15209b12 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 22 Mar 2013 21:58:25 +1100
Subject: [PATCH 12/12] scripting: Fill the ProvisionNames hash with strings,
 not ldb.MessageElement or Dn

This avoids the need to fix it up again in samba_upgradedns.

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Mar 25 13:25:30 CET 2013 on sn-devel-104
(cherry picked from commit 30adf0cdbae6d9aaf2e72513d9c33267248f20c0)
---
 python/samba/provision/__init__.py     | 15 +++++++--------
 source4/scripting/bin/samba_upgradedns | 16 +---------------
 2 files changed, 8 insertions(+), 23 deletions(-)

diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 32baac6..f13b7d1 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -201,9 +201,8 @@ def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf,
                "configurationNamingContext","rootDomainNamingContext",
                "namingContexts"])
 
-    names.configdn = current[0]["configurationNamingContext"]
-    configdn = str(names.configdn)
-    names.schemadn = current[0]["schemaNamingContext"]
+    names.configdn = current[0]["configurationNamingContext"][0]
+    names.schemadn = current[0]["schemaNamingContext"][0]
     if not (ldb.Dn(samdb, basedn) == (ldb.Dn(samdb,
                                        current[0]["defaultNamingContext"][0]))):
         raise ProvisioningError(("basedn in %s (%s) and from %s (%s)"
@@ -211,8 +210,8 @@ def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf,
                                     str(current[0]["defaultNamingContext"][0]),
                                     paths.smbconf, basedn)))
 
-    names.domaindn=current[0]["defaultNamingContext"]
-    names.rootdn=current[0]["rootDomainNamingContext"]
+    names.domaindn=current[0]["defaultNamingContext"][0]
+    names.rootdn=current[0]["rootDomainNamingContext"][0]
     names.ncs=current[0]["namingContexts"]
     names.dnsforestdn = None
     names.dnsdomaindn = None
@@ -232,7 +231,7 @@ def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf,
 
     # default site name
     res3 = samdb.search(expression="(objectClass=site)",
-        base="CN=Sites," + configdn, scope=ldb.SCOPE_ONELEVEL, attrs=["cn"])
+        base="CN=Sites," + names.configdn, scope=ldb.SCOPE_ONELEVEL, attrs=["cn"])
     names.sitename = str(res3[0]["cn"])
 
     # dns hostname and server dn
@@ -242,8 +241,8 @@ def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf,
     names.hostname = str(res4[0]["dNSHostName"]).replace("." + names.dnsdomain, "")
 
     server_res = samdb.search(expression="serverReference=%s" % res4[0].dn,
-                                attrs=[], base=configdn)
-    names.serverdn = server_res[0].dn
+                                attrs=[], base=names.configdn)
+    names.serverdn = str(server_res[0].dn)
 
     # invocation id/objectguid
     res5 = samdb.search(expression="(objectClass=*)",
diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns
index f389ef7..3c30090 100755
--- a/source4/scripting/bin/samba_upgradedns
+++ b/source4/scripting/bin/samba_upgradedns
@@ -83,19 +83,6 @@ def find_bind_gid():
     return None
 
 
-def fix_names(pnames):
-    """Convert elements to strings from MessageElement
-    """
-    names = pnames
-    names.rootdn = pnames.rootdn[0]
-    names.domaindn = pnames.domaindn[0]
-    names.configdn = pnames.configdn[0]
-    names.schemadn = pnames.schemadn[0]
-    names.root_gid = pnames.root_gid
-    names.serverdn = str(pnames.serverdn)
-    return names
-
-
 def convert_dns_rdata(rdata, serial=1):
     """Convert resource records in dnsRecord format
     """
@@ -270,9 +257,8 @@ if __name__ == '__main__':
     paths = get_paths(param, smbconf=lp.configfile)
     paths.bind_gid = find_bind_gid()
     ldbs = get_ldbs(paths, creds, system_session(), lp)
-    pnames = find_provision_key_parameters(ldbs.sam, ldbs.secrets, ldbs.idmap,
+    names = find_provision_key_parameters(ldbs.sam, ldbs.secrets, ldbs.idmap,
                                            paths, lp.configfile, lp)
-    names = fix_names(pnames)
 
     if names.domainlevel < DS_DOMAIN_FUNCTION_2003:
         logger.error("Cannot create AD based DNS for OS level < 2003")
-- 
1.7.11.7