paths.samdb = os.path.join(paths.private_dir, lp.get("sam database") or "samdb.ldb")
paths.idmapdb = os.path.join(paths.private_dir, lp.get("idmap database") or "idmap.ldb")
paths.secrets = os.path.join(paths.private_dir, lp.get("secrets database") or "secrets.ldb")
+ paths.privilege = os.path.join(paths.private_dir, "privilege.ldb")
paths.dns = os.path.join(paths.private_dir, dnsdomain + ".zone")
paths.namedconf = os.path.join(paths.private_dir, "named.conf")
paths.namedtxt = os.path.join(paths.private_dir, "named.txt")
return secrets_ldb
+def setup_privileges(path, setup_path, session_info, lp):
+ """Setup the privileges database.
+
+ :param path: Path to the privileges database.
+ :param setup_path: Get the path to a setup file.
+ :param session_info: Session info.
+ :param credentials: Credentials
+ :param lp: Loadparm context
+ :return: LDB handle for the created secrets database
+ """
+ if os.path.exists(path):
+ os.unlink(path)
+ privilege_ldb = Ldb(path, session_info=session_info, lp=lp)
+ privilege_ldb.erase()
+ privilege_ldb.load_ldif_file_add(setup_path("provision_privilege.ldif"))
+
+
def setup_registry(path, setup_path, session_info, lp):
"""Setup the registry.
setup_registry(paths.hklm, setup_path, session_info,
lp=lp)
+ message("Setting up the privileges database")
+ setup_privileges(paths.privilege, setup_path, session_info, lp=lp)
+
message("Setting up idmap db")
idmap = setup_idmapdb(paths.idmapdb, setup_path, session_info=session_info,
lp=lp)
--- /dev/null
+# default privileges - more can be added via LSA or ldbedit
+dn: @ATTRIBUTES
+comment: CASE_INSENSITIVE
+privilege: CASE_INSENSITIVE
+
+dn: @INDEXLIST
+@IDXATTR: objectSid
+@IDXATTR: privilege
+
+dn: sid=S-1-5-32-544
+objectClass: privilege
+comment: Administrators
+objectSid: S-1-5-32-544
+privilege: SeSecurityPrivilege
+privilege: SeBackupPrivilege
+privilege: SeRestorePrivilege
+privilege: SeSystemtimePrivilege
+privilege: SeShutdownPrivilege
+privilege: SeRemoteShutdownPrivilege
+privilege: SeTakeOwnershipPrivilege
+privilege: SeDebugPrivilege
+privilege: SeSystemEnvironmentPrivilege
+privilege: SeSystemProfilePrivilege
+privilege: SeProfileSingleProcessPrivilege
+privilege: SeIncreaseBasePriorityPrivilege
+privilege: SeLoadDriverPrivilege
+privilege: SeCreatePagefilePrivilege
+privilege: SeIncreaseQuotaPrivilege
+privilege: SeChangeNotifyPrivilege
+privilege: SeUndockPrivilege
+privilege: SeManageVolumePrivilege
+privilege: SeImpersonatePrivilege
+privilege: SeCreateGlobalPrivilege
+privilege: SeEnableDelegationPrivilege
+privilege: SeInteractiveLogonRight
+privilege: SeNetworkLogonRight
+privilege: SeRemoteInteractiveLogonRight
+
+dn: sid=S-1-5-32-550
+objectClass: privilege
+comment: Print Operators
+objectSid: S-1-5-32-550
+privilege: SeLoadDriverPrivilege
+privilege: SeShutdownPrivilege
+privilege: SeInteractiveLogonRight
+
+dn: sid=S-1-5-32-551
+objectClass: privilege
+comment: Backup Operators
+objectSid: S-1-5-32-551
+privilege: SeBackupPrivilege
+privilege: SeRestorePrivilege
+privilege: SeShutdownPrivilege
+privilege: SeInteractiveLogonRight
+
+dn: sid=S-1-5-32-549
+objectClass: privilege
+comment: Server Operators
+objectSid: S-1-5-32-549
+privilege: SeBackupPrivilege
+privilege: SeSystemtimePrivilege
+privilege: SeRemoteShutdownPrivilege
+privilege: SeRestorePrivilege
+privilege: SeShutdownPrivilege
+privilege: SeInteractiveLogonRight
+
+dn: sid=S-1-5-32-548
+objectClass: privilege
+comment: Account Operators
+objectSid: S-1-5-32-548
+privilege: SeInteractiveLogonRight
+
+dn: sid=S-1-5-32-554
+objectClass: privilege
+comment: Pre-Windows 2000 Compatible Access
+objectSid: S-1-5-32-554
+privilege: SeRemoteInteractiveLogonRight
+privilege: SeChangeNotifyPrivilege