The branch, master has been updated via b55a91e join.py: Set NT ACL on crossRef object for new partition from eee14f7 samba-tool/ldapcmp: update the list of non replicated attributes
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit b55a91e9d297c74602d6bd5ef6d2676cf1bfbc75 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Aug 22 14:16:30 2014 +1200 join.py: Set NT ACL on crossRef object for new partition Change-Id: Icb1b00697cc5641481370ded26f2f0551a5b2a97 Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Andrew Bartlett <abart...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Tue Sep 2 14:15:54 CEST 2014 on sn-devel-104 ----------------------------------------------------------------------- Summary of changes: python/samba/descriptor.py | 8 +++++++- python/samba/join.py | 10 +++++++--- 2 files changed, 14 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py index 164b0bf..86ea869 100644 --- a/python/samba/descriptor.py +++ b/python/samba/descriptor.py @@ -361,6 +361,13 @@ def get_dns_domain_microsoft_dns_descriptor(domain_sid, name_map={}): "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)" return sddl2binary(sddl, domain_sid, name_map) +def get_paritions_crossref_subdomain_descriptor(domain_sid, name_map={}): + sddl = "O:SubdomainAdminsG:SubdomainAdminsD:AI" \ + "(A;;RPWPCRCCLCLORCWOWDSW;;;SubdomainAdmins)" + "(A;;RPLCLORC;;;AU)" + "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" + return sddl2binary(sddl, domain_sid, name_map) + def get_wellknown_sds(samdb): # Then subcontainers @@ -427,7 +434,6 @@ def get_wellknown_sds(samdb): return subcontainers - def chunck_acl(acl): """Return separate ACE of an ACL diff --git a/python/samba/join.py b/python/samba/join.py index d9e5e8c..c356145 100644 --- a/python/samba/join.py +++ b/python/samba/join.py @@ -29,6 +29,7 @@ from samba.credentials import Credentials, DONT_USE_KERBEROS from samba.provision import secretsdb_self_join, provision, provision_fill, FILL_DRS, FILL_SUBDOMAIN from samba.provision.common import setup_path from samba.schema import Schema +from samba import descriptor from samba.net import Net from samba.provision.sambadns import setup_bind9_dns from samba import read_and_sub_file @@ -672,8 +673,8 @@ class dc_join(object): """add the various objects needed for the join, for subdomains post replication""" print "Adding %s" % ctx.partition_dn - # NOTE: windows sends a ntSecurityDescriptor here, we - # let it default + name_map = {'SubdomainAdmins': "%s-%s" % (str(ctx.domsid), security.DOMAIN_RID_ADMINS)} + sd_binary = descriptor.get_paritions_crossref_subdomain_descriptor(ctx.forestsid, name_map=name_map) rec = { "dn" : ctx.partition_dn, "objectclass" : "crossRef", @@ -682,7 +683,10 @@ class dc_join(object): "nETBIOSName" : ctx.domain_name, "dnsRoot": ctx.dnsdomain, "trustParent" : ctx.parent_partition_dn, - "systemFlags" : str(samba.dsdb.SYSTEM_FLAG_CR_NTDS_NC|samba.dsdb.SYSTEM_FLAG_CR_NTDS_DOMAIN)} + "systemFlags" : str(samba.dsdb.SYSTEM_FLAG_CR_NTDS_NC|samba.dsdb.SYSTEM_FLAG_CR_NTDS_DOMAIN), + "ntSecurityDescriptor" : sd_binary, + } + if ctx.behavior_version >= samba.dsdb.DS_DOMAIN_FUNCTION_2003: rec["msDS-Behavior-Version"] = str(ctx.behavior_version) -- Samba Shared Repository