From: Andrew Bartlett Date: Wed, 13 Dec 2017 02:03:57 +0000 (+1300) Subject: 2008R2: Missing extended rights for objectVersion 45 X-Git-Tag: talloc-2.1.11~187 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ff98bf96e9b24242893dc0fe9e1f2fa64d261d30;p=thirdparty%2Fsamba.git 2008R2: Missing extended rights for objectVersion 45 We appear to have been missing some extended rights from 2008R2. These were added in samba by the extended-rights.ldif On Windows this was in Sch45.ldf (triggered by adprep schema updates). We add these changes to adprep/samba-4.7-missing-for-schema-45.ldif, which can be used to apply the changes to an existing Samba instance. This is not extracted from the Sch45.ldf file provided by Microsoft but is instead extracted using ldapcmp against a Samba install running the new extended-rights.ldif. Finally, these schema changes mean that the upgradeprovision test starts failing. This is because it's using an old 4.0.0 schema (that doesn't have these schema changes), but it's comparing it against a fresh provision (which does have the changes). We can avoid this failure by using the 'samba-tool domain schemaupgrade' to bring the old 4.0.0 schema in line with a fresh provision. Note that the 'upgradeprovision --full' test doesn't need this change as it seems to more aggressively copy over any schema differences with a fresh provision. Signed-off-by: Garming Sam Signed-off-by: Tim Beale Signed-off-by: Andrew Bartlett --- diff --git a/source4/setup/adprep/samba-4.7-missing-for-schema45.ldif b/source4/setup/adprep/samba-4.7-missing-for-schema45.ldif new file mode 100644 index 00000000000..53949654f38 --- /dev/null +++ b/source4/setup/adprep/samba-4.7-missing-for-schema45.ldif @@ -0,0 +1,102 @@ +# Missing objects and values that should be in Samba 4.7 to honour the +# claimed schema 45 +# +# Extracted from 'samba-tool ldapcmp' and ldbsearch on two Samba +# installs before and after the schema 2012 patch set landed. +# +# +dn: CN=Manage-Optional-Features,CN=Extended-Rights,CN=Configuration,DC=X +changetype: add +objectClass: controlAccessRight +displayName: Manage Optional Features +rightsGuid: 7c0e2a7c-a419-48e4-a995-10180aad54dd +appliesTo: ef9e60e0-56f7-11d1-a9c6-0000f80367c1 +validAccesses: 256 +localizationDisplayId: 79 +- + +dn: CN=Run-Protect-Admin-Groups-Task,CN=Extended-Rights,CN=Configuration,DC=X +changetype: add +objectClass: controlAccessRight +displayName: Run Protect Admin Groups Task +rightsGuid: 7726b9d5-a4b4-4288-a6b2-dce952e80a7f +appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9 +validAccesses: 256 +localizationDisplayId: 78 +- + +# +# These appliesTo values are also documented in MS-ADTS +# (as 'only in schema version 45 and greater') +# +dn: CN=Allowed-To-Authenticate,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- + +dn: CN=DNS-Host-Name-Attributes,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- + +dn: CN=MS-TS-GatewayAccess,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- + +dn: CN=Personal-Information,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- + +dn: CN=Public-Information,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- + +dn: CN=Receive-As,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- + +dn: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- + +dn: CN=User-Account-Restrictions,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- + +dn: CN=User-Change-Password,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- + +dn: CN=User-Force-Change-Password,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- + +dn: CN=Validated-DNS-Host-Name,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- + +dn: CN=Validated-SPN,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif index 64bca35c519..b3b45b2ad01 100644 --- a/source4/setup/provision_configuration.ldif +++ b/source4/setup/provision_configuration.ldif @@ -484,6 +484,7 @@ tombstoneLifetime: 180 dn: CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,${CONFIGDN} objectClass: top objectClass: container +systemFlags: -1946157056 dn: CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,${CONFIGDN} objectClass: top