s4:provision: set the correct nTSecurityDescriptor on CN=Users,... (bug #9481)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py
index 52dacdec32c42dfcb662d52ee602c505574733d7..c5a8b397ab7d82aa3cab1fa5a3f16cc7115ac805 100644 (file)
--- a/source4/scripting/python/samba/provision/__init__.py
+++ b/source4/scripting/python/samba/provision/__init__.py
@@ -85,6 +85,7 @@ from samba.provision.descriptor import (
     get_domain_infrastructure_descriptor,
     get_domain_builtin_descriptor,
     get_domain_computers_descriptor,
+    get_domain_users_descriptor,
     )
 from samba.provision.common import (
     setup_path,
@@ -1286,8 +1287,11 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
             samdb.add_ldif(display_specifiers_ldif)
 
         logger.info("Adding users container")
+        users_desc = b64encode(get_domain_users_descriptor(domainsid))
         setup_add_ldif(samdb, setup_path("provision_users_add.ldif"), {
-                "DOMAINDN": names.domaindn})
+                "DOMAINDN": names.domaindn,
+                "USERS_DESCRIPTOR": users_desc
+                })
         logger.info("Modifying users container")
         setup_modify_ldif(samdb, setup_path("provision_users_modify.ldif"), {
                 "DOMAINDN": names.domaindn})

diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py
index 8d71969cfd5cf357be749bae478e3a0e7211a712..2a98168a5eb65d2885a6e5fcd6cffc2b7dda32a8 100644 (file)
--- a/source4/scripting/python/samba/provision/descriptor.py
+++ b/source4/scripting/python/samba/provision/descriptor.py
@@ -224,6 +224,19 @@ def get_domain_computers_descriptor(domain_sid):
     sec = security.descriptor.from_sddl(sddl, domain_sid)
     return ndr_pack(sec)
 
+def get_domain_users_descriptor(domain_sid):
+    sddl = "D:" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \
+    "(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)" \
+    "(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)" \
+    "(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)" \
+    "(A;;RPLCLORC;;;AU)" \
+    "(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)" \
+    "S:"
+    sec = security.descriptor.from_sddl(sddl, domain_sid)
+    return ndr_pack(sec)
+
 def get_dns_partition_descriptor(domainsid):
     sddl = "O:SYG:BAD:AI" \
     "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \

diff --git a/source4/setup/provision_users_add.ldif b/source4/setup/provision_users_add.ldif
index db075d9c80690ed3af63a5b855a27523fe32d7fd..d5f76ed85400cc27b3fbb308ba0b637abf45b274 100644 (file)
--- a/source4/setup/provision_users_add.ldif
+++ b/source4/setup/provision_users_add.ldif
@@ -1,3 +1,4 @@
 dn: CN=Users,${DOMAINDN}
 objectClass: top
 objectClass: container
+nTSecurityDescriptor:: ${USERS_DESCRIPTOR}