diff options
author | Andrew Bartlett <abartlet@samba.org> | 2017-12-13 15:03:57 +1300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2017-12-14 08:20:16 +0100 |
commit | ff98bf96e9b24242893dc0fe9e1f2fa64d261d30 (patch) | |
tree | 068fedbfda75d608a585985f91db7b9bf6e78f17 /source4/setup | |
parent | d67f706b34d3bae05c7155092aa29d7e1148e7e6 (diff) | |
download | samba-ff98bf96e9b24242893dc0fe9e1f2fa64d261d30.tar.gz |
2008R2: Missing extended rights for objectVersion 45
We appear to have been missing some extended rights from 2008R2. These were
added in samba by the extended-rights.ldif
On Windows this was in Sch45.ldf (triggered by adprep schema updates).
We add these changes to adprep/samba-4.7-missing-for-schema-45.ldif,
which can be used to apply the changes to an existing Samba instance.
This is not extracted from the Sch45.ldf file provided by Microsoft
but is instead extracted using ldapcmp against a Samba install running
the new extended-rights.ldif.
Finally, these schema changes mean that the upgradeprovision test starts
failing. This is because it's using an old 4.0.0 schema (that doesn't
have these schema changes), but it's comparing it against a fresh
provision (which does have the changes). We can avoid this failure by
using the 'samba-tool domain schemaupgrade' to bring the old 4.0.0 schema
in line with a fresh provision. Note that the 'upgradeprovision --full'
test doesn't need this change as it seems to more aggressively copy over
any schema differences with a fresh provision.
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/setup')
-rw-r--r-- | source4/setup/adprep/samba-4.7-missing-for-schema45.ldif | 102 | ||||
-rw-r--r-- | source4/setup/provision_configuration.ldif | 1 |
2 files changed, 103 insertions, 0 deletions
diff --git a/source4/setup/adprep/samba-4.7-missing-for-schema45.ldif b/source4/setup/adprep/samba-4.7-missing-for-schema45.ldif new file mode 100644 index 00000000000..53949654f38 --- /dev/null +++ b/source4/setup/adprep/samba-4.7-missing-for-schema45.ldif @@ -0,0 +1,102 @@ +# Missing objects and values that should be in Samba 4.7 to honour the +# claimed schema 45 +# +# Extracted from 'samba-tool ldapcmp' and ldbsearch on two Samba +# installs before and after the schema 2012 patch set landed. +# +# +dn: CN=Manage-Optional-Features,CN=Extended-Rights,CN=Configuration,DC=X +changetype: add +objectClass: controlAccessRight +displayName: Manage Optional Features +rightsGuid: 7c0e2a7c-a419-48e4-a995-10180aad54dd +appliesTo: ef9e60e0-56f7-11d1-a9c6-0000f80367c1 +validAccesses: 256 +localizationDisplayId: 79 +- + +dn: CN=Run-Protect-Admin-Groups-Task,CN=Extended-Rights,CN=Configuration,DC=X +changetype: add +objectClass: controlAccessRight +displayName: Run Protect Admin Groups Task +rightsGuid: 7726b9d5-a4b4-4288-a6b2-dce952e80a7f +appliesTo: 19195a5b-6da0-11d0-afd3-00c04fd930c9 +validAccesses: 256 +localizationDisplayId: 78 +- + +# +# These appliesTo values are also documented in MS-ADTS +# (as 'only in schema version 45 and greater') +# +dn: CN=Allowed-To-Authenticate,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- + +dn: CN=DNS-Host-Name-Attributes,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- + +dn: CN=MS-TS-GatewayAccess,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- + +dn: CN=Personal-Information,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- + +dn: CN=Public-Information,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- + +dn: CN=Receive-As,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- + +dn: CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- + +dn: CN=User-Account-Restrictions,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- + +dn: CN=User-Change-Password,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- + +dn: CN=User-Force-Change-Password,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- + +dn: CN=Validated-DNS-Host-Name,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- + +dn: CN=Validated-SPN,CN=Extended-Rights,CN=Configuration,DC=X +changetype: modify +add: appliesTo +appliesTo: ce206244-5827-4a86-ba1c-1c0c386c1b64 +- diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif index 64bca35c519..b3b45b2ad01 100644 --- a/source4/setup/provision_configuration.ldif +++ b/source4/setup/provision_configuration.ldif @@ -484,6 +484,7 @@ tombstoneLifetime: 180 dn: CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,${CONFIGDN} objectClass: top objectClass: container +systemFlags: -1946157056 dn: CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,${CONFIGDN} objectClass: top |