From: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Date: Tue, 17 Jun 2025 04:22:56 +0000 (+1200)
Subject: schema: Add Validated-Write-Computer Extended Right from Windows Server 2016
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5934b746adc80e39521eb69361374c905dc9870a;p=thirdparty%2Fsamba.git

schema: Add Validated-Write-Computer Extended Right from Windows Server 2016

Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---

diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 119ff3f49fa..0f7418786c6 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1462,11 +1462,15 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
         protected1wd_descr = b64encode(get_config_delete_protected1wd_descriptor(names.domainsid)).decode('utf8')
         protected2_descr = b64encode(get_config_delete_protected2_descriptor(names.domainsid)).decode('utf8')
 
+        incl_2012 = ""
+        incl_2016 = ""
         if "2008" in schema.base_schema:
-            # exclude 2012-specific changes if we're using a 2008 schema
+            # exclude 2012 and later changes if we're using a 2008 schema
             incl_2012 = "#"
-        else:
-            incl_2012 = ""
+            incl_2016 = "#"
+        elif "2012" in schema.base_schema:
+            # exclude 2016 and later changes if we're using a 2012 schema
+            incl_2016 = "#"
 
         setup_add_ldif(samdb, setup_path("provision_configuration.ldif"), {
                 "CONFIGDN": names.configdn,
@@ -1493,6 +1497,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
         setup_add_ldif(samdb, setup_path("extended-rights.ldif"), {
                 "CONFIGDN": names.configdn,
                 "INC2012": incl_2012,
+                "INC2016": incl_2016,
                 })
 
         logger.info("Setting up display specifiers")
diff --git a/source4/setup/adprep/samba-4.23-missing-for-schema81.ldif b/source4/setup/adprep/samba-4.23-missing-for-schema81.ldif
new file mode 100644
index 00000000000..944bf5d2441
--- /dev/null
+++ b/source4/setup/adprep/samba-4.23-missing-for-schema81.ldif
@@ -0,0 +1,13 @@
+# Missing objects and values that should be in Samba 4.23 to honour the
+# claimed schema 81
+#
+#
+dn: CN=DS-Validated-Write-Computer,CN=Extended-Rights,CN=Configuration,DC=X
+changetype: add
+objectClass: controlAccessRight
+displayName: Validated write to computer attributes.
+rightsGuid: 9b026da6-0d3c-465c-8bee-5199d7165cba
+appliesTo: bf967a86-0de6-11d0-a285-00aa003049e2
+ShowInAdvancedViewOnly: TRUE
+validAccesses: 8
+-
diff --git a/source4/setup/extended-rights.ldif b/source4/setup/extended-rights.ldif
index 67417b7d020..8ea0ed8e022 100644
--- a/source4/setup/extended-rights.ldif
+++ b/source4/setup/extended-rights.ldif
@@ -832,4 +832,11 @@ ${INC2012}displayName: Write secret attributes of objects in a Partition
 ${INC2012}rightsGuid: 94825A8D-B171-4116-8146-1E34D8F54401
 ${INC2012}appliesTo: 26f11b08-a29d-4869-99bb-ef0b99fd883e
 ${INC2012}validAccesses: 256
-
+${INC2016}
+${INC2016}dn: CN=DS-Validated-Write-Computer,CN=Extended-Rights,${CONFIGDN}
+${INC2016}objectClass: controlAccessRight
+${INC2016}displayName: Validated write to computer attributes.
+${INC2016}rightsGuid: 9b026da6-0d3c-465c-8bee-5199d7165cba
+${INC2016}appliesTo: bf967a86-0de6-11d0-a285-00aa003049e2
+${INC2016}validAccesses: 8
+${INC2016}showInAdvancedViewOnly: TRUE
diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh
index a008b81a4a1..2f32d303710 100755
--- a/testprogs/blackbox/dbcheck-oldrelease.sh
+++ b/testprogs/blackbox/dbcheck-oldrelease.sh
@@ -487,6 +487,9 @@ referenceprovision()
 
 		# on top of this, also apply 2008R2 changes we accidentally missed in the past
 		$PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX/${RELEASE}/private/sam.ldb --ldf-file=samba-4.7-missing-for-schema45.ldif,fix-forest-rev.ldf
+
+		# also apply 2016 changes we accidentally missed in the past
+		$PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX/${RELEASE}/private/sam.ldb --ldf-file=samba-4.23-missing-for-schema81.ldif,fix-forest-rev.ldf
 	fi
 }
 
diff --git a/testprogs/blackbox/upgradeprovision-oldrelease.sh b/testprogs/blackbox/upgradeprovision-oldrelease.sh
index 228b3a5de0f..fa298635480 100755
--- a/testprogs/blackbox/upgradeprovision-oldrelease.sh
+++ b/testprogs/blackbox/upgradeprovision-oldrelease.sh
@@ -163,6 +163,9 @@ upgradeprovision()
 	# on top of this, also apply 2008R2 changes we accidentally missed in the past
 	$PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX/${RELEASE}_upgrade/private/sam.ldb --ldf-file=samba-4.7-missing-for-schema45.ldif,fix-forest-rev.ldf
 
+	# also apply 2016 changes we accidentally missed in the past
+	$PYTHON $BINDIR/samba-tool domain schemaupgrade -H tdb://$PREFIX/${RELEASE}_upgrade/private/sam.ldb --ldf-file=samba-4.23-missing-for-schema81.ldif,fix-forest-rev.ldf
+
 	# add missing domain prep for 2008R2
 	$PYTHON $BINDIR/samba-tool domain functionalprep -H tdb://$PREFIX/${RELEASE}_upgrade/private/sam.ldb --domain --function-level 2008_R2
 }