From 999c068113af6158355634eb9a9c4b5a4d3066d8 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 10 Dec 2012 11:32:07 +0100 Subject: [PATCH] s4:provision: set the correct nTSecurityDescriptor on CN=Sites,CN=Configuration... (bug #9481) Signed-off-by: Stefan Metzmacher Reviewed-by: Michael Adam --- .../scripting/python/samba/provision/__init__.py | 3 +++ .../python/samba/provision/descriptor.py | 15 +++++++++++++++ source4/setup/provision_configuration.ldif | 1 + 3 files changed, 19 insertions(+) diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index 63b1bd004db..5e80d63d4a9 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -80,6 +80,7 @@ from samba.provision.descriptor import ( get_empty_descriptor, get_config_descriptor, get_config_partitions_descriptor, + get_config_sites_descriptor, get_domain_descriptor ) from samba.provision.common import ( @@ -1257,6 +1258,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, if fill == FILL_FULL: logger.info("Setting up sam.ldb configuration data") partitions_descr = b64encode(get_config_partitions_descriptor(domainsid)) + sites_descr = b64encode(get_config_sites_descriptor(domainsid)) setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), { "CONFIGDN": names.configdn, "NETBIOSNAME": names.netbiosname, @@ -1269,6 +1271,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid, "FOREST_FUNCTIONALITY": str(forestFunctionality), "DOMAIN_FUNCTIONALITY": str(domainFunctionality), "PARTITIONS_DESCRIPTOR": partitions_descr, + "SITES_DESCRIPTOR": sites_descr, }) logger.info("Setting up display specifiers") diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py index dd1f62f86c0..2deb5500734 100644 --- a/source4/scripting/python/samba/provision/descriptor.py +++ b/source4/scripting/python/samba/provision/descriptor.py @@ -75,6 +75,21 @@ def get_config_partitions_descriptor(domain_sid): sec = security.descriptor.from_sddl(sddl, domain_sid) return ndr_pack(sec) +def get_config_sites_descriptor(domain_sid): + sddl = "D:" \ + "(A;;RPLCLORC;;;AU)" \ + "(OA;CIIO;SW;d31a8757-2447-4545-8081-3bb610cacbf2;f0f8ffab-1191-11d0-a060-00aa006c33ed;ER)" \ + "(A;;RPWPCRCCLCLORCWOWDSW;;;EA)" \ + "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \ + "S:" \ + "(AU;CISA;CCDCSDDT;;;WD)" \ + "(OU;CIIOSA;CR;;f0f8ffab-1191-11d0-a060-00aa006c33ed;WD)" \ + "(OU;CIIOSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)" \ + "(OU;CIIOSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967ab3-0de6-11d0-a285-00aa003049e2;WD)" \ + "(OU;CIIOSA;WP;3e10944c-c354-11d0-aff8-0000f80367c1;b7b13124-b82e-11d0-afee-0000f80367c1;WD)" + sec = security.descriptor.from_sddl(sddl, domain_sid) + return ndr_pack(sec) + def get_domain_descriptor(domain_sid): sddl= "O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \ "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)" \ diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif index cb5a251f7ff..1d818ef95cf 100644 --- a/source4/setup/provision_configuration.ldif +++ b/source4/setup/provision_configuration.ldif @@ -1195,6 +1195,7 @@ dn: CN=Sites,${CONFIGDN} objectClass: top objectClass: sitesContainer systemFlags: -2113929216 +ntSecurityDescriptor:: ${SITES_DESCRIPTOR} dn: CN=${DEFAULTSITE},CN=Sites,${CONFIGDN} objectClass: top -- 2.34.1