schema: Add Validated-Write-Computer Extended Right from Windows Server 2016

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 119ff3f49fac17b655fe309520b6e3da31ad416c..0f7418786c6e6d317b2294e028dc77c5900f26d6 100644 (file)
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1462,11 +1462,15 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
         protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(names.domainsid)).decode('utf8')
         protected2_descr = b64encode(get_config_delete_protected2_descriptor(names.domainsid)).decode('utf8')
 
+        incl_2012 = ""
+        incl_2016 = ""
         if "2008" in schema.base_schema:
-            # exclude 2012-specific changes if we're using a 2008 schema
+            # exclude 2012 and later changes if we're using a 2008 schema
             incl_2012 = "#"
-        else:
-            incl_2012 = ""
+            incl_2016 = "#"
+        elif "2012" in schema.base_schema:
+            # exclude 2016 and later changes if we're using a 2012 schema
+            incl_2016 = "#"
 
         setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), {
                 "CONFIGDN": names.configdn,
@@ -1493,6 +1497,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
         setup_add_ldif(samdb, setup_path("extended-rights.ldif"), {
                 "CONFIGDN": names.configdn,
                 "INC2012": incl_2012,
+                "INC2016": incl_2016,
                 })
 
         logger.info("Setting up display specifiers")

diff --git a/source4/setup/adprep/samba-4.23-missing-for-schema81.ldif b/source4/setup/adprep/samba-4.23-missing-for-schema81.ldif
new file mode 100644 (file)
index 0000000..944bf5d
--- /dev/null
+++ b/source4/setup/adprep/samba-4.23-missing-for-schema81.ldif
@@ -0,0 +1,13 @@
+# Missing objects and values that should be in Samba 4.23 to honour the
+# claimed schema 81
+#
+#
+dn: CN=DS-Validated-Write-Computer,CN=Extended-Rights,CN=Configuration,DC=X
+changetype: add
+objectClass: controlAccessRight
+displayName: Validated write to computer attributes.
+rightsGuid: 9b026da6-0d3c-465c-8bee-5199d7165cba
+appliesTo: bf967a86-0de6-11d0-a285-00aa003049e2
+ShowInAdvancedViewOnly: TRUE
+validAccesses: 8
+-

diff --git a/source4/setup/extended-rights.ldif b/source4/setup/extended-rights.ldif
index 67417b7d020241e138a2a2368394566d9e70c5d0..8ea0ed8e022e28eb08c185cc8cc68fb715b1e397 100644 (file)
--- a/source4/setup/extended-rights.ldif
+++ b/source4/setup/extended-rights.ldif
@@ -832,4 +832,11 @@ ${INC2012}displayName: Write secret attributes of objects in a Partition
 ${INC2012}rightsGuid: 94825A8D-B171-4116-8146-1E34D8F54401
 ${INC2012}appliesTo: 26f11b08-a29d-4869-99bb-ef0b99fd883e
 ${INC2012}validAccesses: 256
-
+${INC2016}
+${INC2016}dn: CN=DS-Validated-Write-Computer,CN=Extended-Rights,${CONFIGDN}
+${INC2016}objectClass: controlAccessRight
+${INC2016}displayName: Validated write to computer attributes.
+${INC2016}rightsGuid: 9b026da6-0d3c-465c-8bee-5199d7165cba
+${INC2016}appliesTo: bf967a86-0de6-11d0-a285-00aa003049e2
+${INC2016}validAccesses: 8
+${INC2016}showInAdvancedViewOnly: TRUE

diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh
index a008b81a4a17e81368b922fe4efb90408ec7aa62..2f32d303710c0020f7bdcbd7f57bea0fbe984c83 100755 (executable)
--- a/testprogs/blackbox/dbcheck-oldrelease.sh
+++ b/testprogs/blackbox/dbcheck-oldrelease.sh
@@ -487,6 +487,9 @@ referenceprovision()
 
                # on top of this, also apply 2008R2 changes we accidentally missed in the past
                $PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX/${RELEASE}/private/sam.ldb --ldf-file=samba-4.7-missing-for-schema45.ldif,fix-forest-rev.ldf
+
+               # also apply 2016 changes we accidentally missed in the past
+               $PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX/${RELEASE}/private/sam.ldb --ldf-file=samba-4.23-missing-for-schema81.ldif,fix-forest-rev.ldf
        fi
 }
 

diff --git a/testprogs/blackbox/upgradeprovision-oldrelease.sh b/testprogs/blackbox/upgradeprovision-oldrelease.sh
index 228b3a5de0f6afc21f2aadfa33c86c786dff63b3..fa298635480f55018eee81996ff3a2aad33cd894 100755 (executable)
--- a/testprogs/blackbox/upgradeprovision-oldrelease.sh
+++ b/testprogs/blackbox/upgradeprovision-oldrelease.sh
@@ -163,6 +163,9 @@ upgradeprovision()
        # on top of this, also apply 2008R2 changes we accidentally missed in the past
        $PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX/${RELEASE}_upgrade/private/sam.ldb --ldf-file=samba-4.7-missing-for-schema45.ldif,fix-forest-rev.ldf
 
+       # also apply 2016 changes we accidentally missed in the past
+       $PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX/${RELEASE}_upgrade/private/sam.ldb --ldf-file=samba-4.23-missing-for-schema81.ldif,fix-forest-rev.ldf
+
        # add missing domain prep for 2008R2
        $PYTHON $BINDIR/samba-tool domain functionalprep -H tdb://$PREFIX/${RELEASE}_upgrade/private/sam.ldb --domain --function-level 2008_R2
 }