s4:provision: set the correct nTSecurityDescriptor on CN=Domain Controllers,... (bug #9481)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Tue Dec 11 07:05:39 CET 2012 on sn-devel-104
(cherry picked from commit 914a61d9e5b7a182592f3afe60f4dad1cd342fc4)

3 files changed, 16 insertions, 0 deletions

diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py
index c5a8b397ab7..e6ea855b57f 100644
--- a/source4/scripting/python/samba/provision/__init__.py
+++ b/source4/scripting/python/samba/provision/__init__.py
@@ -86,6 +86,7 @@ from samba.provision.descriptor import (
     get_domain_builtin_descriptor,
     get_domain_computers_descriptor,
     get_domain_users_descriptor,
+    get_domain_controllers_descriptor
     )
 from samba.provision.common import (
     setup_path,
@@ -1308,6 +1309,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
         logger.info("Setting up sam.ldb data")
         infrastructure_desc = b64encode(get_domain_infrastructure_descriptor(domainsid))
         builtin_desc = b64encode(get_domain_builtin_descriptor(domainsid))
+        controllers_desc = b64encode(get_domain_controllers_descriptor(domainsid))
         setup_add_ldif(samdb, setup_path("provision.ldif"), {
             "CREATTIME": str(samba.unix2nttime(int(time.time()))),
             "DOMAINDN": names.domaindn,
@@ -1319,6 +1321,7 @@ def fill_samdb(samdb, lp, names, logger, domainsid, domainguid, policyguid,
             "POLICYGUID_DC": policyguid_dc,
             "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc,
             "BUILTIN_DESCRIPTOR": builtin_desc,
+            "DOMAIN_CONTROLLERS_DESCRIPTOR": controllers_desc,
             })
 
         # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
diff --git a/source4/scripting/python/samba/provision/descriptor.py b/source4/scripting/python/samba/provision/descriptor.py
index 2a98168a5eb..adf75797ccf 100644
--- a/source4/scripting/python/samba/provision/descriptor.py
+++ b/source4/scripting/python/samba/provision/descriptor.py
@@ -237,6 +237,18 @@ def get_domain_users_descriptor(domain_sid):
     sec = security.descriptor.from_sddl(sddl, domain_sid)
     return ndr_pack(sec)
 
+def get_domain_controllers_descriptor(domain_sid):
+    sddl = "D:" \
+    "(A;;RPLCLORC;;;AU)" \
+    "(A;;RPWPCRCCLCLORCWOWDSW;;;DA)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+    "(A;;RPLCLORC;;;ED)" \
+    "S:" \
+    "(AU;SA;CCDCWOWDSDDT;;;WD)" \
+    "(AU;CISA;WP;;;WD)"
+    sec = security.descriptor.from_sddl(sddl, domain_sid)
+    return ndr_pack(sec)
+
 def get_dns_partition_descriptor(domainsid):
     sddl = "O:SYG:BAD:AI" \
     "(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)" \
diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif
index 5d20189de29..51e56ff2a6f 100644
--- a/source4/setup/provision.ldif
+++ b/source4/setup/provision.ldif
@@ -46,6 +46,7 @@ systemFlags: -1946157056
 isCriticalSystemObject: TRUE
 showInAdvancedViewOnly: FALSE
 gPLink: [LDAP://CN={${POLICYGUID_DC}},CN=Policies,CN=System,${DOMAINDN};0]
+nTSecurityDescriptor:: ${DOMAIN_CONTROLLERS_DESCRIPTOR}
 
 # Joined DC located in "provision_self_join.ldif"