Operation 75 {
5e1574f6-55df-493e-a6-71-aa-ef-fc-a6-a1-00}
- Create the CN=Managed Service Accounts object
Operation 76 {
d262aae8-41f7-48ed-9f-35-56-bb-b6-77-57-3d}
- Add otherWellKnownObject link for CN=Managed Service Accounts
Referenced in the page 'Windows Server 2008R2: Domain-Wide Updates':
https://technet.microsoft.com/en-us/library/
dd378973(v=ws.10).aspx
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
"S:"
return sddl2binary(sddl, domain_sid, name_map)
+def get_managed_service_accounts_descriptor(domain_sid, name_map={}):
+ sddl = "D:" \
+ "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+ "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \
+ "(OA;;CCDC;ce206244-5827-4a86-ba1c-1c0c386c1b64;;AO)" \
+ "(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)" \
+ "(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)" \
+ "(A;;RPLCLORC;;;AU)" \
+ "S:"
+ return sddl2binary(sddl, domain_sid, name_map)
+
def get_domain_controllers_descriptor(domain_sid, name_map={}):
sddl = "D:" \
"(A;;RPLCLORC;;;AU)" \
get_dns_partition_descriptor,
get_dns_forest_microsoft_dns_descriptor,
get_dns_domain_microsoft_dns_descriptor,
+ get_managed_service_accounts_descriptor,
)
from samba.provision.common import (
setup_path,
# If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
if fill == FILL_FULL:
+ managedservice_descr = b64encode(get_managed_service_accounts_descriptor(names.domainsid))
setup_modify_ldif(samdb,
setup_path("provision_configuration_references.ldif"), {
"CONFIGDN": names.configdn,
if fill == FILL_FULL or fill == FILL_SUBDOMAIN:
setup_modify_ldif(samdb,
- setup_path("provision_basedn_references.ldif"),
- {"DOMAINDN": names.domaindn})
+ setup_path("provision_basedn_references.ldif"), {
+ "DOMAINDN": names.domaindn,
+ "MANAGEDSERVICE_DESCRIPTOR": managedservice_descr
+ })
logger.info("Setting up sam.ldb users and groups")
setup_add_ldif(samdb, setup_path("provision_users.ldif"), {
--- /dev/null
+^samba4.blackbox.upgradeprovision.release-4-0-0.ldapcmp_full_sd
objectClass: container
revision: 9
+dn: CN=5e1574f6-55df-493e-a671-aaeffca6a100,CN=Operations,CN=DomainUpdates,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: container
+
+dn: CN=d262aae8-41f7-48ed-9f35-56bbb677573d,CN=Operations,CN=DomainUpdates,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: container
+
# End domain updates
dn: CN=File Replication Service,CN=System,${DOMAINDN}
###############################
# Domain Naming Context
###############################
+dn: CN=Managed Service Accounts,${DOMAINDN}
+changetype: add
+objectClass: container
+description: Default container for managed service accounts
+showInAdvancedViewOnly: FALSE
+nTSecurityDescriptor:: ${MANAGEDSERVICE_DESCRIPTOR}
+
dn: ${DOMAINDN}
changetype: modify
-
wellKnownObjects: B:32:a361b2ffffd211d1aa4b00c04fd7d83a:OU=Domain Controllers,${DOMAINDN}
wellKnownObjects: B:32:aa312825768811d1aded00c04fd8d5cd:CN=Computers,${DOMAINDN}
wellKnownObjects: B:32:a9d1ca15768811d1aded00c04fd8d5cd:CN=Users,${DOMAINDN}
+otherWellKnownObjects: B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Service Accounts,${DOMAINDN}
-
projects / thirdparty / samba.git / commitdiff
