2008R2: Missing extended rights for objectVersion 45

We appear to have been missing some extended rights from 2008R2. These were
added in samba by the extended-rights.ldif

On Windows this was in Sch45.ldf (triggered by adprep schema updates).

We add these changes to adprep/samba-4.7-missing-for-schema-45.ldif,
which can be used to apply the changes to an existing Samba instance.

This is not extracted from the Sch45.ldf file provided by Microsoft
but is instead extracted using ldapcmp against a Samba install running
the new extended-rights.ldif.

Finally, these schema changes mean that the upgradeprovision test starts
failing. This is because it's using an old 4.0.0 schema (that doesn't
have these schema changes), but it's comparing it against a fresh
provision (which does have the changes). We can avoid this failure by
using the 'samba-tool domain schemaupgrade' to bring the old 4.0.0 schema
in line with a fresh provision. Note that the 'upgradeprovision --full'
test doesn't need this change as it seems to more aggressively copy over
any schema differences with a fresh provision.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/setup/adprep/samba-4.7-missing-for-schema45.ldif b/source4/setup/adprep/samba-4.7-missing-for-schema45.ldif
new file mode 100644 (file)
index 0000000..5394965
--- /dev/null
+++ b/source4/setup/adprep/samba-4.7-missing-for-schema45.ldif
@@ -0,0 +1,102 @@
+# Missing objects and values that should be in Samba 4.7 to honour the
+# claimed schema 45
+#
+# Extracted from 'samba-tool ldapcmp' and ldbsearch on two Samba
+# installs before and after the schema 2012 patch set landed.
+#
+#
+dn: CN=Manage-Optional-Features,CN=Extended-Rights,CN=Configuration,DC=X
+changetype: add
+objectClass: controlAccessRight
+displayName: Manage Optional Features
+rightsGuid: 7c0e2a7c-a419-48e4-a995-10180aad54dd
+appliesTo: ef9e60e0-56f7-11d1-a9c6-0000f80367c1
+validAccesses: 256
+localizationDisplayId: 79
+-
+
+dn: CN=Run-Protect-Admin-Groups-Task,CN=Extended-Rights,CN=Configuration,DC=X
+changetype: add
+objectClass: controlAccessRight
+displayName: Run Protect Admin Groups Task
+rightsGuid: 7726b9d5-a4b4-4288-a6b2-dce952e80a7f
+appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9
+validAccesses: 256
+localizationDisplayId: 78
+-
+
+#
+# These appliesTo values are also documented in MS-ADTS
+# (as 'only in schema version 45 and greater')
+#
+dn: CN=Allowed-To-Authenticate,CN=Extended-Rights,CN=Configuration,DC=X
+changetype: modify
+add: appliesTo
+appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
+-
+
+dn: CN=DNS-Host-Name-Attributes,CN=Extended-Rights,CN=Configuration,DC=X
+changetype: modify
+add: appliesTo
+appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
+-
+
+dn: CN=MS-TS-GatewayAccess,CN=Extended-Rights,CN=Configuration,DC=X
+changetype: modify
+add: appliesTo
+appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
+-
+
+dn: CN=Personal-Information,CN=Extended-Rights,CN=Configuration,DC=X
+changetype: modify
+add: appliesTo
+appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
+-
+
+dn: CN=Public-Information,CN=Extended-Rights,CN=Configuration,DC=X
+changetype: modify
+add: appliesTo
+appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
+-
+
+dn: CN=Receive-As,CN=Extended-Rights,CN=Configuration,DC=X
+changetype: modify
+add: appliesTo
+appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
+-
+
+dn: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=X
+changetype: modify
+add: appliesTo
+appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
+-
+
+dn: CN=User-Account-Restrictions,CN=Extended-Rights,CN=Configuration,DC=X
+changetype: modify
+add: appliesTo
+appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
+-
+
+dn: CN=User-Change-Password,CN=Extended-Rights,CN=Configuration,DC=X
+changetype: modify
+add: appliesTo
+appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
+-
+
+dn: CN=User-Force-Change-Password,CN=Extended-Rights,CN=Configuration,DC=X
+changetype: modify
+add: appliesTo
+appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
+-
+
+dn: CN=Validated-DNS-Host-Name,CN=Extended-Rights,CN=Configuration,DC=X
+changetype: modify
+add: appliesTo
+appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
+-
+
+dn: CN=Validated-SPN,CN=Extended-Rights,CN=Configuration,DC=X
+changetype: modify
+add: appliesTo
+appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64
+-

diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif
index 64bca35c5193da2590f88e5e1462bf5954f3f3fe..b3b45b2ad01c86e2d4e68e4bfc086c884dc2c903 100644 (file)
--- a/source4/setup/provision_configuration.ldif
+++ b/source4/setup/provision_configuration.ldif
@@ -484,6 +484,7 @@ tombstoneLifetime: 180
 dn: CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,${CONFIGDN}
 objectClass: top
 objectClass: container
+systemFlags: -1946157056
 
 dn: CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,${CONFIGDN}
 objectClass: top