The branch, master has been updated via 8b9a08e s4:provision.py - add the correct "CN=Sites" security descriptor via 245642a s4:schema.py - reformat and fix the security descriptor from c25afb6 ldb: Support using system pyldb library.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 8b9a08e10f7b984309ba23ca034923c9634b8e46 Author: Matthias Dieter Wallnöfer <m...@samba.org> Date: Sat Oct 23 21:26:05 2010 +0200 s4:provision.py - add the correct "CN=Sites" security descriptor This should help to fix bug #7403. Autobuild-User: Matthias Dieter Wallnöfer <m...@samba.org> Autobuild-Date: Sat Oct 23 20:16:59 UTC 2010 on sn-devel-104 commit 245642a36b5126d2a481a2aac0b20318ed955732 Author: Matthias Dieter Wallnöfer <m...@samba.org> Date: Sat Oct 23 20:27:50 2010 +0200 s4:schema.py - reformat and fix the security descriptor - Now it matches Windows's order - It contained a superfluous entry (an "Administrator" user grant) ----------------------------------------------------------------------- Summary of changes: source4/scripting/python/samba/provision.py | 25 ++++++++++++++--- source4/scripting/python/samba/schema.py | 37 ++++++++++++++++---------- source4/setup/provision_configuration.ldif | 1 + 3 files changed, 44 insertions(+), 19 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index 80c9bfd..5205ba5 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -81,10 +81,23 @@ def find_setup_dir(): return ret raise Exception("Unable to find setup directory.") -# descriptors of the naming contexts -# hard coded at this point, but will probably be changed when -# we enable different fsmo roles - +# Descriptors of naming contexts and other important objects + +# "get_schema_descriptor" is located in "schema.py" + +def get_sites_descriptor(domain_sid): + sddl = "O:EAG:EAD:AI(A;;RPLCLORC;;;AU)" \ + "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \ + "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ + "(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)" \ + "(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;DA)" \ + "S:AI(AU;CISA;CCDCSDDT;;;WD)" \ + "(OU;CIIOSA;CR;;f0f8ffab-1191-11d0-a060-00aa006c33ed;WD)" \ + "(OU;CIIOSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)" \ + "(OU;CIIOSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)" \ + "(OU;CIIOSA;WP;3e10944c-c354-11d0-aff8-0000f80367c1;b7b13124-b82e-11d0-afee-0000f80367c1;WD)" + sec = security.descriptor.from_sddl(sddl, domain_sid) + return ndr_pack(sec) def get_config_descriptor(domain_sid): sddl = "O:EAG:EAD:(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ @@ -1163,6 +1176,7 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, names, samdb.invocation_id = invocationid logger.info("Setting up sam.ldb configuration data") + descr = b64encode(get_sites_descriptor(domainsid)) setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), { "CONFIGDN": names.configdn, "NETBIOSNAME": names.netbiosname, @@ -1173,7 +1187,8 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, names, "DOMAINDN": names.domaindn, "SERVERDN": names.serverdn, "FOREST_FUNCTIONALITY": str(forestFunctionality), - "DOMAIN_FUNCTIONALITY": str(domainFunctionality) + "DOMAIN_FUNCTIONALITY": str(domainFunctionality), + "SITES_DESCRIPTOR": descr }) logger.info("Setting up display specifiers") diff --git a/source4/scripting/python/samba/schema.py b/source4/scripting/python/samba/schema.py index 848d4ec..73bc2e4 100644 --- a/source4/scripting/python/samba/schema.py +++ b/source4/scripting/python/samba/schema.py @@ -33,20 +33,29 @@ from ldb import SCOPE_SUBTREE, SCOPE_ONELEVEL import os def get_schema_descriptor(domain_sid): - sddl = "O:SAG:SAD:AI(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c" \ - ";;ER)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)(OA;;CR;1131f6ad-9c07-1" \ - "1d1-f79f-00c04fc2dcd2;;ER)(OA;;CR;e12b56b6-0a95-11d1-adbb-00c04fd8d5cd;;SA)(O" \ - "A;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79" \ - "f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1" \ - "131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04" \ - "fc2dcd2;;BA)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;1131f6aa" \ - "-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2" \ - ";;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ad-9c07-1" \ - "1d1-f79f-00c04fc2dcd2;;ED)(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;LA)(A;CI;RPWPCRCCLCL" \ - "ORCWOWDSW;;;SA)(A;CI;RPLCLORC;;;AU)(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:(O" \ - "U;SA;CR;45ec5156-db7e-47bb-b53f-dbeb2d03c40f;;WD)(OU;SA;CR;e12b56b6-0a95-11d1" \ - "-adbb-00c04fd8d5cd;;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPCCDCWOWDSDDTSW;" \ - ";;WD)(AU;CISA;WP;;;WD)" + sddl = "O:SAG:SAD:AI(OA;;CR;e12b56b6-0a95-11d1-adbb-00c04fd8d5cd;;SA)" \ + "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ + "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ + "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ + "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ + "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ + "(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ + "(A;CI;RPLCLORC;;;AU)" \ + "(A;CI;RPWPCRCCLCLORCWOWDSW;;;SA)" \ + "(A;CI;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ + "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ + "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)" \ + "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)" \ + "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)" \ + "(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \ + "(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;ER)" \ + "(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ER)" \ + "S:(AU;SA;WPCCDCWOWDSDDTSW;;;WD)" \ + "(AU;CISA;WP;;;WD)" \ + "(AU;SA;CR;;;BA)" \ + "(AU;SA;CR;;;DU)" \ + "(OU;SA;CR;e12b56b6-0a95-11d1-adbb-00c04fd8d5cd;;WD)" \ + "(OU;SA;CR;45ec5156-db7e-47bb-b53f-dbeb2d03c40f;;WD)" sec = security.descriptor.from_sddl(sddl, domain_sid) return ndr_pack(sec) diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif index cb049b0..2ccf6ed 100644 --- a/source4/setup/provision_configuration.ldif +++ b/source4/setup/provision_configuration.ldif @@ -1194,6 +1194,7 @@ dn: CN=Sites,${CONFIGDN} objectClass: top objectClass: sitesContainer systemFlags: -2113929216 +nTSecurityDescriptor:: ${SITES_DESCRIPTOR} dn: CN=${DEFAULTSITE},CN=Sites,${CONFIGDN} objectClass: top -- Samba Shared Repository