The branch, master has been updated
via b55a91e join.py: Set NT ACL on crossRef object for new partition
from eee14f7 samba-tool/ldapcmp: update the list of non replicated
attributes
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit b55a91e9d297c74602d6bd5ef6d2676cf1bfbc75
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Aug 22 14:16:30 2014 +1200
join.py: Set NT ACL on crossRef object for new partition
Change-Id: Icb1b00697cc5641481370ded26f2f0551a5b2a97
Pair-Programmed-With: Stefan Metzmacher <me...@samba.org>
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Tue Sep 2 14:15:54 CEST 2014 on sn-devel-104
-----------------------------------------------------------------------
Summary of changes:
python/samba/descriptor.py | 8 +++++++-
python/samba/join.py | 10 +++++++---
2 files changed, 14 insertions(+), 4 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py
index 164b0bf..86ea869 100644
--- a/python/samba/descriptor.py
+++ b/python/samba/descriptor.py
@@ -361,6 +361,13 @@ def get_dns_domain_microsoft_dns_descriptor(domain_sid,
name_map={}):
"(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)"
return sddl2binary(sddl, domain_sid, name_map)
+def get_paritions_crossref_subdomain_descriptor(domain_sid, name_map={}):
+ sddl = "O:SubdomainAdminsG:SubdomainAdminsD:AI" \
+ "(A;;RPWPCRCCLCLORCWOWDSW;;;SubdomainAdmins)"
+ "(A;;RPLCLORC;;;AU)"
+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)"
+ return sddl2binary(sddl, domain_sid, name_map)
+
def get_wellknown_sds(samdb):
# Then subcontainers
@@ -427,7 +434,6 @@ def get_wellknown_sds(samdb):
return subcontainers
-
def chunck_acl(acl):
"""Return separate ACE of an ACL
diff --git a/python/samba/join.py b/python/samba/join.py
index d9e5e8c..c356145 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -29,6 +29,7 @@ from samba.credentials import Credentials, DONT_USE_KERBEROS
from samba.provision import secretsdb_self_join, provision, provision_fill,
FILL_DRS, FILL_SUBDOMAIN
from samba.provision.common import setup_path
from samba.schema import Schema
+from samba import descriptor
from samba.net import Net
from samba.provision.sambadns import setup_bind9_dns
from samba import read_and_sub_file
@@ -672,8 +673,8 @@ class dc_join(object):
"""add the various objects needed for the join, for subdomains post
replication"""
print "Adding %s" % ctx.partition_dn
- # NOTE: windows sends a ntSecurityDescriptor here, we
- # let it default
+ name_map = {'SubdomainAdmins': "%s-%s" % (str(ctx.domsid),
security.DOMAIN_RID_ADMINS)}
+ sd_binary =
descriptor.get_paritions_crossref_subdomain_descriptor(ctx.forestsid,
name_map=name_map)
rec = {
"dn" : ctx.partition_dn,
"objectclass" : "crossRef",
@@ -682,7 +683,10 @@ class dc_join(object):
"nETBIOSName" : ctx.domain_name,
"dnsRoot": ctx.dnsdomain,
"trustParent" : ctx.parent_partition_dn,
- "systemFlags" :
str(samba.dsdb.SYSTEM_FLAG_CR_NTDS_NC|samba.dsdb.SYSTEM_FLAG_CR_NTDS_DOMAIN)}
+ "systemFlags" :
str(samba.dsdb.SYSTEM_FLAG_CR_NTDS_NC|samba.dsdb.SYSTEM_FLAG_CR_NTDS_DOMAIN),
+ "ntSecurityDescriptor" : sd_binary,
+ }
+
if ctx.behavior_version >= samba.dsdb.DS_DOMAIN_FUNCTION_2003:
rec["msDS-Behavior-Version"] = str(ctx.behavior_version)
--
Samba Shared Repository
