s4:provision: set the correct nTSecurityDescriptor on CN=Users,... (bug #9481)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit 8eb359c23c6379be1ccc32e27fd2316d77a7c7b3)

3 files changed, 19 insertions, 1 deletions

diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py
index 52dacdec32c..c5a8b397ab7 100644
--- a/source4/scripting/python/samba/provision/__init__.py
+++ b/source4/scripting/python/samba/provision/__init__.py
@@ -85,6 +85,7 @@ from samba.provision.descriptor import (
     get_domain_infrastructure_descriptor,
     get_domain_builtin_descriptor,
     get_domain_computers_descriptor,
+    get_domain_users_descriptor,
     )
 from samba.provision.common import (
     setup_path,
@@ -1286,8 +1287,11 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
             samdb.add_ldif(display_specifiers_ldif)
 
         logger.info("Adding users container")
+        users_desc = b64encode(get_domain_users_descriptor(domainsid))
         setup_add_ldif(samdb, setup_path("provision_users_add.ldif"), {
-                "DOMAINDN": names.domaindn})
+                "DOMAINDN": names.domaindn,
+                "USERS_DESCRIPTOR": users_desc
+                })
         logger.info("Modifying users container")
         setup_modify_ldif(samdb, setup_path("provision_users_modify.ldif"), {
                 "DOMAINDN": names.domaindn})
diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py
index 8d71969cfd5..2a98168a5eb 100644
--- a/source4/scripting/python/samba/provision/descriptor.py
+++ b/source4/scripting/python/samba/provision/descriptor.py
@@ -224,6 +224,19 @@ def get_domain_computers_descriptor(domain_sid):
     sec = security.descriptor.from_sddl(sddl, domain_sid)
     return ndr_pack(sec)
 
+def get_domain_users_descriptor(domain_sid):
+    sddl = "D:" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \
+    "(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)" \
+    "(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)" \
+    "(OA;;CCDC;bf967aa8-0de6-11d0-a285-00aa003049e2;;PO)" \
+    "(A;;RPLCLORC;;;AU)" \
+    "(OA;;CCDC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;AO)" \
+    "S:"
+    sec = security.descriptor.from_sddl(sddl, domain_sid)
+    return ndr_pack(sec)
+
 def get_dns_partition_descriptor(domainsid):
     sddl = "O:SYG:BAD:AI" \
     "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
diff --git a/source4/setup/provision_users_add.ldif b/source4/setup/provision_users_add.ldif
index db075d9c806..d5f76ed8540 100644
--- a/source4/setup/provision_users_add.ldif
+++ b/source4/setup/provision_users_add.ldif
@@ -1,3 +1,4 @@
 dn: CN=Users,${DOMAINDN}
 objectClass: top
 objectClass: container
+nTSecurityDescriptor:: ${USERS_DESCRIPTOR}