objectClass: foreignSecurityPrincipal
description: %s
",
- sid, subobj.BASEDN, desc);
+ sid, subobj.DOMAINDN, desc);
/* deliberately ignore errors from this, as the records may
already exist */
ldb.add(add);
{
var attrs = new Array("dn");
var res = ldb.search(sprintf("objectSid=%s", sid),
- info.subobj.BASEDN, ldb.SCOPE_SUBTREE, attrs);
+ info.subobj.DOMAINDN, ldb.SCOPE_SUBTREE, attrs);
if (res.length != 1) {
info.message("Failed to find record for objectSid %s\n", sid);
return false;
var previous_remaining = 1;
var current_remaining = 0;
- if (ldapbackend && (basedn == info.subobj.BASEDN)) {
+ if (ldapbackend && (basedn == info.subobj.DOMAINDN)) {
/* Only delete objects that were created by provision */
anything = "(objectcategory=*)";
}
var attrs = new Array("objectSid");
var subobj = info.subobj;
- res = ldb.search("objectSid=*", subobj.BASEDN, ldb.SCOPE_BASE, attrs);
+ res = ldb.search("objectSid=*", subobj.DOMAINDN, ldb.SCOPE_BASE, attrs);
assert(res.length == 1 && res[0].objectSid != undefined);
var sid = res[0].objectSid;
assert(valid_netbios_name(subobj.DOMAIN));
subobj.NETBIOSNAME = strupper(subobj.HOSTNAME);
assert(valid_netbios_name(subobj.NETBIOSNAME));
- var rdns = split(",", subobj.BASEDN);
+ var rdns = split(",", subobj.DOMAINDN);
subobj.RDN_DC = substr(rdns[0], strlen("DC="));
if (subobj.DOMAINGUID != undefined) {
message("Erasing data from partitions\n");
ldb_erase_partitions(info, samdb, ldapbackend);
- message("Adding baseDN: " + subobj.BASEDN + " (permitted to fail)\n");
+ message("Adding DomainDN: " + subobj.DOMAINDN + " (permitted to fail)\n");
var add_ok = setup_add_ldif("provision_basedn.ldif", info, samdb, true);
- message("Modifying baseDN: " + subobj.BASEDN + "\n");
+ message("Modifying DomainDN: " + subobj.DOMAINDN + "\n");
var modify_ok = setup_ldb_modify("provision_basedn_modify.ldif", info, samdb);
if (!modify_ok) {
if (!add_ok) {
- message("Failed to both add and modify " + subobj.BASEDN + " in target " + subobj.LDAPBACKEND + "\n");
+ message("Failed to both add and modify " + subobj.DOMAINDN + " in target " + subobj.LDAPBACKEND + "\n");
message("Perhaps you need to run the provision script with the --ldap-base-dn option, and add this record to the backend manually\n");
};
assert(modify_ok);
or may not have been specified, so fetch them from the database */
var attrs = new Array("objectGUID");
- res = ldb.search("objectGUID=*", subobj.BASEDN, ldb.SCOPE_BASE, attrs);
+ res = ldb.search("objectGUID=*", subobj.DOMAINDN, ldb.SCOPE_BASE, attrs);
assert(res.length == 1);
assert(res[0].objectGUID != undefined);
subobj.DOMAINGUID = res[0].objectGUID;
- subobj.HOSTGUID = searchone(ldb, subobj.BASEDN, "(&(objectClass=computer)(cn=" + subobj.NETBIOSNAME + "))", "objectGUID");
+ subobj.HOSTGUID = searchone(ldb, subobj.DOMAINDN, "(&(objectClass=computer)(cn=" + subobj.NETBIOSNAME + "))", "objectGUID");
assert(subobj.HOSTGUID != undefined);
setup_file("provision.zone",
/* Write out a DNS zone file, from the info in the current database */
function provision_ldapbase(subobj, message, paths)
{
- message("Setting up LDAP base entry: " + subobj.BASEDN + " \n");
- var rdns = split(",", subobj.BASEDN);
+ message("Setting up LDAP base entry: " + subobj.DOMAINDN + " \n");
+ var rdns = split(",", subobj.DOMAINDN);
subobj.EXTENSIBLEOBJECT = "objectClass: extensibleObject";
subobj.RDN_DC = substr(rdns[0], strlen("DC="));
strlower(subobj.HOSTNAME),
subobj.DNSDOMAIN);
rdn_list = split(".", subobj.DNSDOMAIN);
- subobj.BASEDN = "DC=" + join(",DC=", rdn_list);
- subobj.ROOTDN = subobj.BASEDN;
+ subobj.DOMAINDN = "DC=" + join(",DC=", rdn_list);
+ subobj.ROOTDN = subobj.DOMAINDN;
subobj.CONFIGDN = "CN=Configuration," + subobj.ROOTDN;
subobj.SCHEMADN = "CN=Schema," + subobj.CONFIGDN;
subobj.LDAPBACKEND = "users.ldb";
-dn: CN=Administrator,CN=Users,${BASEDN}
+dn: CN=Administrator,CN=Users,${DOMAINDN}
objectClass: user
cn: Administrator
description: Built-in account for administering the computer/domain
-memberOf: CN=Group Policy Creator Owners,CN=Users,${BASEDN}
-memberOf: CN=Domain Admins,CN=Users,${BASEDN}
-memberOf: CN=Enterprise Admins,CN=Users,${BASEDN}
-memberOf: CN=Schema Admins,CN=Users,${BASEDN}
-memberOf: CN=Administrators,CN=Builtin,${BASEDN}
+memberOf: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
+memberOf: CN=Domain Admins,CN=Users,${DOMAINDN}
+memberOf: CN=Enterprise Admins,CN=Users,${DOMAINDN}
+memberOf: CN=Schema Admins,CN=Users,${DOMAINDN}
+memberOf: CN=Administrators,CN=Builtin,${DOMAINDN}
userAccountControl: 66048
objectSid: ${DOMAINSID}-500
adminCount: 1
isCriticalSystemObject: TRUE
sambaPassword: ${ADMINPASS}
-dn: CN=Guest,CN=Users,${BASEDN}
+dn: CN=Guest,CN=Users,${DOMAINDN}
objectClass: user
cn: Guest
description: Built-in account for guest access to the computer/domain
-memberOf: CN=Guests,CN=Builtin,${BASEDN}
+memberOf: CN=Guests,CN=Builtin,${DOMAINDN}
userAccountControl: 66082
primaryGroupID: 514
objectSid: ${DOMAINSID}-501
sAMAccountName: Guest
isCriticalSystemObject: TRUE
-dn: CN=Administrators,CN=Builtin,${BASEDN}
+dn: CN=Administrators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
cn: Administrators
description: Administrators have complete and unrestricted access to the computer/domain
-member: CN=Domain Admins,CN=Users,${BASEDN}
-member: CN=Enterprise Admins,CN=Users,${BASEDN}
-member: CN=Administrator,CN=Users,${BASEDN}
+member: CN=Domain Admins,CN=Users,${DOMAINDN}
+member: CN=Enterprise Admins,CN=Users,${DOMAINDN}
+member: CN=Administrator,CN=Users,${DOMAINDN}
objectSid: S-1-5-32-544
adminCount: 1
sAMAccountName: Administrators
privilege: SeRemoteInteractiveLogonRight
-dn: CN=${NETBIOSNAME},CN=Domain Controllers,${BASEDN}
+dn: CN=${NETBIOSNAME},CN=Domain Controllers,${DOMAINDN}
objectClass: computer
cn: ${NETBIOSNAME}
userAccountControl: 532480
servicePrincipalName: HOST/${NETBIOSNAME}/${DOMAIN}
${HOSTGUID_ADD}
-dn: CN=Users,CN=Builtin,${BASEDN}
+dn: CN=Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
cn: Users
description: Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications
-member: CN=Domain Users,CN=Users,${BASEDN}
+member: CN=Domain Users,CN=Users,${DOMAINDN}
objectSid: S-1-5-32-545
sAMAccountName: Users
sAMAccountType: 536870912
objectCategory: CN=Group,${SCHEMADN}
isCriticalSystemObject: TRUE
-dn: CN=Guests,CN=Builtin,${BASEDN}
+dn: CN=Guests,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
cn: Guests
description: Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
-member: CN=Domain Guests,CN=Users,${BASEDN}
-member: CN=Guest,CN=Users,${BASEDN}
+member: CN=Domain Guests,CN=Users,${DOMAINDN}
+member: CN=Guest,CN=Users,${DOMAINDN}
objectSid: S-1-5-32-546
sAMAccountName: Guests
sAMAccountType: 536870912
objectCategory: CN=Group,${SCHEMADN}
isCriticalSystemObject: TRUE
-dn: CN=Print Operators,CN=Builtin,${BASEDN}
+dn: CN=Print Operators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
cn: Print Operators
privilege: SeShutdownPrivilege
privilege: SeInteractiveLogonRight
-dn: CN=Backup Operators,CN=Builtin,${BASEDN}
+dn: CN=Backup Operators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
cn: Backup Operators
privilege: SeShutdownPrivilege
privilege: SeInteractiveLogonRight
-dn: CN=Replicator,CN=Builtin,${BASEDN}
+dn: CN=Replicator,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
cn: Replicator
objectCategory: CN=Group,${SCHEMADN}
isCriticalSystemObject: TRUE
-dn: CN=Remote Desktop Users,CN=Builtin,${BASEDN}
+dn: CN=Remote Desktop Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
cn: Remote Desktop Users
objectCategory: CN=Group,${SCHEMADN}
isCriticalSystemObject: TRUE
-dn: CN=Network Configuration Operators,CN=Builtin,${BASEDN}
+dn: CN=Network Configuration Operators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
cn: Network Configuration Operators
objectCategory: CN=Group,${SCHEMADN}
isCriticalSystemObject: TRUE
-dn: CN=Performance Monitor Users,CN=Builtin,${BASEDN}
+dn: CN=Performance Monitor Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
cn: Performance Monitor Users
objectCategory: CN=Group,${SCHEMADN}
isCriticalSystemObject: TRUE
-dn: CN=Performance Log Users,CN=Builtin,${BASEDN}
+dn: CN=Performance Log Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
cn: Performance Log Users
objectCategory: CN=Group,${SCHEMADN}
isCriticalSystemObject: TRUE
-dn: CN=krbtgt,CN=Users,${BASEDN}
+dn: CN=krbtgt,CN=Users,${DOMAINDN}
objectClass: top
objectClass: person
objectClass: organizationalPerson
isCriticalSystemObject: TRUE
sambaPassword: ${KRBTGTPASS}
-dn: CN=Domain Computers,CN=Users,${BASEDN}
+dn: CN=Domain Computers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
cn: Domain Computers
objectCategory: CN=Group,${SCHEMADN}
isCriticalSystemObject: TRUE
-dn: CN=Domain Controllers,CN=Users,${BASEDN}
+dn: CN=Domain Controllers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
cn: Domain Controllers
sAMAccountName: Domain Controllers
isCriticalSystemObject: TRUE
-dn: CN=Schema Admins,CN=Users,${BASEDN}
+dn: CN=Schema Admins,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
cn: Schema Admins
description: Designated administrators of the schema
-member: CN=Administrator,CN=Users,${BASEDN}
+member: CN=Administrator,CN=Users,${DOMAINDN}
objectSid: ${DOMAINSID}-518
adminCount: 1
sAMAccountName: Schema Admins
isCriticalSystemObject: TRUE
-dn: CN=Enterprise Admins,CN=Users,${BASEDN}
+dn: CN=Enterprise Admins,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
cn: Enterprise Admins
description: Designated administrators of the enterprise
-member: CN=Administrator,CN=Users,${BASEDN}
-memberOf: CN=Administrators,CN=Builtin,${BASEDN}
+member: CN=Administrator,CN=Users,${DOMAINDN}
+memberOf: CN=Administrators,CN=Builtin,${DOMAINDN}
objectSid: ${DOMAINSID}-519
adminCount: 1
sAMAccountName: Enterprise Admins
isCriticalSystemObject: TRUE
-dn: CN=Cert Publishers,CN=Users,${BASEDN}
+dn: CN=Cert Publishers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
cn: Cert Publishers
objectCategory: CN=Group,${SCHEMADN}
isCriticalSystemObject: TRUE
-dn: CN=Domain Admins,CN=Users,${BASEDN}
+dn: CN=Domain Admins,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
cn: Domain Admins
description: Designated administrators of the domain
-member: CN=Administrator,CN=Users,${BASEDN}
-memberOf: CN=Administrators,CN=Builtin,${BASEDN}
+member: CN=Administrator,CN=Users,${DOMAINDN}
+memberOf: CN=Administrators,CN=Builtin,${DOMAINDN}
objectSid: ${DOMAINSID}-512
adminCount: 1
sAMAccountName: Domain Admins
isCriticalSystemObject: TRUE
-dn: CN=Domain Users,CN=Users,${BASEDN}
+dn: CN=Domain Users,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
cn: Domain Users
description: All domain users
-memberOf: CN=Users,CN=Builtin,${BASEDN}
+memberOf: CN=Users,CN=Builtin,${DOMAINDN}
objectSid: ${DOMAINSID}-513
sAMAccountName: Domain Users
isCriticalSystemObject: TRUE
-dn: CN=Domain Guests,CN=Users,${BASEDN}
+dn: CN=Domain Guests,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
cn: Domain Guests
description: All domain guests
-memberOf: CN=Guests,CN=Builtin,${BASEDN}
+memberOf: CN=Guests,CN=Builtin,${DOMAINDN}
objectSid: ${DOMAINSID}-514
sAMAccountName: Domain Guests
isCriticalSystemObject: TRUE
-dn: CN=Group Policy Creator Owners,CN=Users,${BASEDN}
+dn: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
cn: Group Policy Creator Owners
description: Members in this group can modify group policy for the domain
-member: CN=Administrator,CN=Users,${BASEDN}
+member: CN=Administrator,CN=Users,${DOMAINDN}
objectSid: ${DOMAINSID}-520
sAMAccountName: Group Policy Creator Owners
objectCategory: CN=Group,${SCHEMADN}
isCriticalSystemObject: TRUE
-dn: CN=RAS and IAS Servers,CN=Users,${BASEDN}
+dn: CN=RAS and IAS Servers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
cn: RAS and IAS Servers
objectCategory: CN=Group,${SCHEMADN}
isCriticalSystemObject: TRUE
-dn: CN=Server Operators,CN=Builtin,${BASEDN}
+dn: CN=Server Operators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
cn: Server Operators
privilege: SeShutdownPrivilege
privilege: SeInteractiveLogonRight
-dn: CN=Account Operators,CN=Builtin,${BASEDN}
+dn: CN=Account Operators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
cn: Account Operators