The branch, master has been updated
via b1d2bb3... s4:provision_users.ldif - Add a comment that some
objects under "Users" are now located elsewhere
via face5d3... s4:provision_users.ldif - Add objects for IIS
via 9ac39b6... s4:provision_users.ldif - Add additional BUILTIN objects
via 2a05dd6... s4:provision_users.ldif - add the restant part of the
objects needing for RODC support
via 7135705... s4:provision_users.ldif - Fix up errors on existing
entries
via 81053e9... s4:provision_users.ldif - Simple reordering
via a0d7f3e... s4:provision_users.ldif - Remove system objects from the
wrong place
via 40bc48d... s4:SAMR RPC - Fix the criteria for group searches
from c663af8... s4-idl: get rid of the operation specific DRS options
flags
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit b1d2bb3e51bdee1dd32d97af8d502adc374acefb
Author: Matthias Dieter Wallnöfer <mwallnoe...@yahoo.de>
Date: Wed Jan 13 17:39:28 2010 +0100
s4:provision_users.ldif - Add a comment that some objects under "Users" are
now located elsewhere
This is needed due to the new RID/SID distribution system
commit face5d3030b6d2c7dfbe6e2cb36a2e59e9efde67
Author: Matthias Dieter Wallnöfer <mwallnoe...@yahoo.de>
Date: Sun Jan 10 14:20:09 2010 +0100
s4:provision_users.ldif - Add objects for IIS
Some WSPP locations point out that beginning with Windows Server 2008
they're
also per default present.
Compared against Windows Server 2008
commit 9ac39b659f00dc3737dff5be021cd0aefa0dc39e
Author: Matthias Dieter Wallnöfer <mwallnoe...@yahoo.de>
Date: Mon Jan 11 22:12:01 2010 +0100
s4:provision_users.ldif - Add additional BUILTIN objects
Compared against Windows Server 2008
commit 2a05dd6fcc9ccbebeeebcb66407ae2e49d626307
Author: Matthias Dieter Wallnöfer <mwallnoe...@yahoo.de>
Date: Mon Jan 11 22:01:42 2010 +0100
s4:provision_users.ldif - add the restant part of the objects needing for
RODC support
RODC = Read Only Domain Controllers
Compared against Windows Server 2008
commit 71357053bb2b0695cbbf4661529fc81db3c8e4fd
Author: Matthias Dieter Wallnöfer <mwallnoe...@yahoo.de>
Date: Mon Jan 11 21:57:32 2010 +0100
s4:provision_users.ldif - Fix up errors on existing entries
Compared against Windows Server 2008
commit 81053e9124057915402ddedb1b7b087516349829
Author: Matthias Dieter Wallnöfer <mwallnoe...@yahoo.de>
Date: Mon Jan 11 21:44:18 2010 +0100
s4:provision_users.ldif - Simple reordering
Sorted according the SID - easier for later enhancements.
commit a0d7f3e3442d8baa23af0c0e74b3707eedc2158d
Author: Matthias Dieter Wallnöfer <mwallnoe...@yahoo.de>
Date: Mon Jan 11 21:36:40 2010 +0100
s4:provision_users.ldif - Remove system objects from the wrong place
Objects like the "Cryptographic Operators", "Event Log Readers" don't belong
here but into the builtin domain.
commit 40bc48dfa909fe8eda7e1c4ae072dc298d20e978
Author: Matthias Dieter Wallnöfer <mwallnoe...@yahoo.de>
Date: Tue Jan 12 22:16:36 2010 +0100
s4:SAMR RPC - Fix the criteria for group searches
This should match the MS-SAMR documentation (section 3.1.5.5.1.1)
-----------------------------------------------------------------------
Summary of changes:
source4/rpc_server/samr/dcesrv_samr.c | 8 +-
source4/setup/provision_users.ldif | 211 +++++++++++++++++++++------------
2 files changed, 137 insertions(+), 82 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/rpc_server/samr/dcesrv_samr.c
b/source4/rpc_server/samr/dcesrv_samr.c
index 1621003..7de2377 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -521,11 +521,11 @@ static NTSTATUS
dcesrv_samr_info_DomGeneralInformation(struct samr_domain_state
info->num_users = samdb_search_count(state->sam_ctx, state->domain_dn,
"(objectClass=user)");
info->num_groups = samdb_search_count(state->sam_ctx, state->domain_dn,
-
"(&(objectClass=group)(sAMAccountType=%u))",
- ATYPE_GLOBAL_GROUP);
+
"(&(objectClass=group)(groupType=%u))",
+ GTYPE_SECURITY_GLOBAL_GROUP);
info->num_aliases = samdb_search_count(state->sam_ctx, state->domain_dn,
-
"(&(objectClass=group)(sAMAccountType=%u))",
- ATYPE_LOCAL_GROUP);
+
"(&(objectClass=group)(groupType=%u))",
+
GTYPE_SECURITY_DOMAIN_LOCAL_GROUP);
return NT_STATUS_OK;
}
diff --git a/source4/setup/provision_users.ldif
b/source4/setup/provision_users.ldif
index c27249d..a2e5441 100644
--- a/source4/setup/provision_users.ldif
+++ b/source4/setup/provision_users.ldif
@@ -75,107 +75,111 @@ isCriticalSystemObject: TRUE
# Add other groups
-dn: CN=Enterprise Admins,CN=Users,${DOMAINDN}
+dn: CN=Enterprise Read-Only Domain Controllers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
-description: Designated administrators of the enterprise
-member: CN=Administrator,CN=Users,${DOMAINDN}
-objectSid: ${DOMAINSID}-519
-adminCount: 1
-sAMAccountName: Enterprise Admins
+description: Members of this group are Read-Only Domain Controllers in the
enterprise
+objectSid: ${DOMAINSID}-498
+sAMAccountName: Enterprise Read-Only Domain Controllers
+groupType: -2147483640
isCriticalSystemObject: TRUE
-dn: CN=Schema Admins,CN=Users,${DOMAINDN}
+dn: CN=Domain Admins,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
-description: Designated administrators of the schema
+description: Designated administrators of the domain
member: CN=Administrator,CN=Users,${DOMAINDN}
-objectSid: ${DOMAINSID}-518
+objectSid: ${DOMAINSID}-512
adminCount: 1
-sAMAccountName: Schema Admins
+sAMAccountName: Domain Admins
isCriticalSystemObject: TRUE
dn: CN=Cert Publishers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: Members of this group are permitted to publish certificates to
the Active Directory
-groupType: -2147483644
objectSid: ${DOMAINSID}-517
sAMAccountName: Cert Publishers
+groupType: -2147483644
isCriticalSystemObject: TRUE
-dn: CN=Domain Admins,CN=Users,${DOMAINDN}
+dn: CN=Schema Admins,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
-description: Designated administrators of the domain
+description: Designated administrators of the schema
member: CN=Administrator,CN=Users,${DOMAINDN}
-objectSid: ${DOMAINSID}-512
+objectSid: ${DOMAINSID}-518
adminCount: 1
-sAMAccountName: Domain Admins
+sAMAccountName: Schema Admins
+groupType: -2147483640
isCriticalSystemObject: TRUE
-dn: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
+dn: CN=Enterprise Admins,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
-description: Members in this group can modify group policy for the domain
+description: Designated administrators of the enterprise
member: CN=Administrator,CN=Users,${DOMAINDN}
-objectSid: ${DOMAINSID}-520
-sAMAccountName: Group Policy Creator Owners
+objectSid: ${DOMAINSID}-519
+adminCount: 1
+sAMAccountName: Enterprise Admins
+groupType: -2147483640
isCriticalSystemObject: TRUE
-dn: CN=RAS and IAS Servers,CN=Users,${DOMAINDN}
+dn: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
-description: Servers in this group can access remote access properties of users
-objectSid: ${DOMAINSID}-553
-sAMAccountName: RAS and IAS Servers
-groupType: -2147483644
+description: Members in this group can modify group policies for the domain
+member: CN=Administrator,CN=Users,${DOMAINDN}
+objectSid: ${DOMAINSID}-520
+sAMAccountName: Group Policy Creator Owners
isCriticalSystemObject: TRUE
dn: CN=Read-Only Domain Controllers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
-description: Read-only domain controllers
+description: Members of this group are Read-Only Domain Controllers in the
domain
objectSid: ${DOMAINSID}-521
+adminCount: 1
sAMAccountName: Read-Only Domain Controllers
-groupType: -2147483644
isCriticalSystemObject: TRUE
-dn: CN=Enterprise Read-Only Domain Controllers,CN=Users,${DOMAINDN}
+dn: CN=RAS and IAS Servers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
-description: Enterprise read-only domain controllers
-objectSid: ${DOMAINSID}-498
-sAMAccountName: Enterprise Read-Only Domain Controllers
+description: Servers in this group can access remote access properties of users
+objectSid: ${DOMAINSID}-553
+sAMAccountName: RAS and IAS Servers
groupType: -2147483644
isCriticalSystemObject: TRUE
-dn: CN=Certificate Service DCOM Access,CN=Users,${DOMAINDN}
+dn: CN=Allowed RODC Password Replication Group,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
-description: Certificate Service DCOM Access
-objectSid: ${DOMAINSID}-574
-sAMAccountName: Certificate Service DCOM Access
+description: Members in this group can have their passwords replicated to all
read-only domain controllers in the domain.
+objectSid: ${DOMAINSID}-571
+sAMAccountName: Allowed RODC Password Replication Group
groupType: -2147483644
isCriticalSystemObject: TRUE
-dn: CN=Cryptographic Operators,CN=Users,${DOMAINDN}
+dn: CN=Denied RODC Password Replication Group,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
-description: Cryptographic Operators
-objectSid: ${DOMAINSID}-569
-sAMAccountName: Cryptographic Operators
+description: Members in this group cannot have their passwords replicated to
any read-only domain controllers in the domain.
+member: CN=Read-Only Domain Controllers,CN=Users,${DOMAINDN}
+member: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
+member: CN=Domain Admins,CN=Users,${DOMAINDN}
+member: CN=Cert Publishers,CN=Users,${DOMAINDN}
+member: CN=Enterprise Admins,CN=Users,${DOMAINDN}
+member: CN=Schema Admins,CN=Users,${DOMAINDN}
+member: CN=Domain Controllers,CN=Users,${DOMAINDN}
+member: CN=krbtgt,CN=Users,${DOMAINDN}
+objectSid: ${DOMAINSID}-572
+sAMAccountName: Denied RODC Password Replication Group
groupType: -2147483644
isCriticalSystemObject: TRUE
-dn: CN=Event Log Readers,CN=Users,${DOMAINDN}
-objectClass: top
-objectClass: group
-description: Event Log Readers
-objectSid: ${DOMAINSID}-573
-sAMAccountName: Event Log Readers
-groupType: -2147483644
-isCriticalSystemObject: TRUE
+# NOTICE: Some other users and groups which rely on automatic SIDs are located
+# in "provision_self_join_modify.ldif"
# Add foreign security principals
@@ -194,6 +198,11 @@ objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-11
+dn: CN=S-1-5-17,CN=ForeignSecurityPrincipals,${DOMAINDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-17
+
dn: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectClass: top
objectClass: foreignSecurityPrincipal
@@ -240,6 +249,28 @@ systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
+dn: CN=Account Operators,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: Members can administer domain user and group accounts
+objectSid: S-1-5-32-548
+adminCount: 1
+sAMAccountName: Account Operators
+systemFlags: -1946157056
+groupType: -2147483643
+isCriticalSystemObject: TRUE
+
+dn: CN=Server Operators,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: Members can administer domain servers
+objectSid: S-1-5-32-549
+adminCount: 1
+sAMAccountName: Server Operators
+systemFlags: -1946157056
+groupType: -2147483643
+isCriticalSystemObject: TRUE
+
dn: CN=Print Operators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
@@ -273,6 +304,17 @@ systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
+dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: A backward compatibility group which allows read access on all
users and groups in the domain
+member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
+objectSid: S-1-5-32-554
+sAMAccountName: Pre-Windows 2000 Compatible Access
+systemFlags: -1946157056
+groupType: -2147483643
+isCriticalSystemObject: TRUE
+
dn: CN=Remote Desktop Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
@@ -293,6 +335,16 @@ systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
+dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: Members of this group can create incoming, one-way trusts to this
forest
+objectSid: S-1-5-32-557
+sAMAccountName: Incoming Forest Trust Builders
+systemFlags: -1946157056
+groupType: -2147483643
+isCriticalSystemObject: TRUE
+
dn: CN=Performance Monitor Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
@@ -314,76 +366,74 @@ systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
-dn: CN=Server Operators,CN=Builtin,${DOMAINDN}
+dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-description: Members can administer domain servers
-objectSid: S-1-5-32-549
-adminCount: 1
-sAMAccountName: Server Operators
+description: Members of this group have access to the computed
tokenGroupsGlobalAndUniversal attribute on User objects
+member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
+objectSid: S-1-5-32-560
+sAMAccountName: Windows Authorization Access Group
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
-dn: CN=Account Operators,CN=Builtin,${DOMAINDN}
+dn: CN=Terminal Server License Servers,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-description: Members can administer domain user and group accounts
-objectSid: S-1-5-32-548
-adminCount: 1
-sAMAccountName: Account Operators
+description: Terminal Server License Servers
+objectSid: S-1-5-32-561
+sAMAccountName: Terminal Server License Servers
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
-dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN}
+dn: CN=Distributed COM Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-description: A backward compatibility group which allows read access on all
users and groups in the domain
-member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
-objectSid: S-1-5-32-554
-sAMAccountName: Pre-Windows 2000 Compatible Access
+description: Members are allowed to launch, activate and use Distributed COM
objects on this machine.
+objectSid: S-1-5-32-562
+sAMAccountName: Distributed COM Users
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
-dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN}
+dn: CN=IIS_IUSRS,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-description: Members of this group can create incoming, one-way trusts to this
forest
-objectSid: S-1-5-32-557
-sAMAccountName: Incoming Forest Trust Builders
+description: Integrated group used by the IIS
+member: CN=S-1-5-17,CN=ForeignSecurityPrincipals,${DOMAINDN}
+objectSid: S-1-5-32-568
+sAMAccountName: IIS_IUSRS
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
-dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN}
+dn: CN=Cryptographic Operators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-description: Members of this group have access to the computed
tokenGroupsGlobalAndUniversal attribute on User objects
-member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
-objectSid: S-1-5-32-560
-sAMAccountName: Windows Authorization Access Group
+description: Members are authorized to perform cryptographic operations.
+objectSid: S-1-5-32-569
+sAMAccountName: Cryptographic Operators
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
-dn: CN=Terminal Server License Servers,CN=Builtin,${DOMAINDN}
+dn: CN=Event Log Readers,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-description: Terminal Server License Servers
-objectSid: S-1-5-32-561
-sAMAccountName: Terminal Server License Servers
+description: Members of this group can read event logs from local machine.
+objectSid: S-1-5-32-573
+sAMAccountName: Event Log Readers
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
-dn: CN=Distributed COM Users,CN=Builtin,${DOMAINDN}
+dn: CN=Certificate Service DCOM Access,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-description: Members are allowed to launch, activate and use Distributed COM
objects on this machine.
-objectSid: S-1-5-32-562
-sAMAccountName: Distributed COM Users
+description: Members of this group are allowed to connect to Certification
Authorities in the enterprise.
+objectSid: S-1-5-32-574
+sAMAccountName: Certificate Service DCOM Access
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
@@ -445,6 +495,11 @@ objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-4
+dn: CN=IUSR,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-17
+
dn: CN=Local Service,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
--
Samba Shared Repository
