join.py: Set NT ACL on crossRef object for new partition

Change-Id: Icb1b00697cc5641481370ded26f2f0551a5b2a97
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Sep  2 14:15:54 CEST 2014 on sn-devel-104

2 files changed, 14 insertions, 4 deletions

diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py
index 164b0bf254..86ea869b0e 100644
--- a/python/samba/descriptor.py
+++ b/python/samba/descriptor.py
@@ -361,6 +361,13 @@ def get_dns_domain_microsoft_dns_descriptor(domain_sid, name_map={}):
     "(A;CI;RPWPCRCCDCLCRCWOWDSDDTSW;;;ED)"
     return sddl2binary(sddl, domain_sid, name_map)
 
+def get_paritions_crossref_subdomain_descriptor(domain_sid, name_map={}):
+    sddl = "O:SubdomainAdminsG:SubdomainAdminsD:AI" \
+    "(A;;RPWPCRCCLCLORCWOWDSW;;;SubdomainAdmins)"
+    "(A;;RPLCLORC;;;AU)"
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)"
+    return sddl2binary(sddl, domain_sid, name_map)
+
 def get_wellknown_sds(samdb):
 
     # Then subcontainers
@@ -427,7 +434,6 @@ def get_wellknown_sds(samdb):
 
     return subcontainers
 
-
 def chunck_acl(acl):
     """Return separate ACE of an ACL
 
diff --git a/python/samba/join.py b/python/samba/join.py
index d9e5e8c0ee..c356145276 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -29,6 +29,7 @@ from samba.credentials import Credentials, DONT_USE_KERBEROS
 from samba.provision import secretsdb_self_join, provision, provision_fill, FILL_DRS, FILL_SUBDOMAIN
 from samba.provision.common import setup_path
 from samba.schema import Schema
+from samba import descriptor
 from samba.net import Net
 from samba.provision.sambadns import setup_bind9_dns
 from samba import read_and_sub_file
@@ -672,8 +673,8 @@ class dc_join(object):
         """add the various objects needed for the join, for subdomains post replication"""
 
         print "Adding %s" % ctx.partition_dn
-        # NOTE: windows sends a ntSecurityDescriptor here, we
-        # let it default
+        name_map = {'SubdomainAdmins': "%s-%s" % (str(ctx.domsid), security.DOMAIN_RID_ADMINS)}
+        sd_binary = descriptor.get_paritions_crossref_subdomain_descriptor(ctx.forestsid, name_map=name_map)
         rec = {
             "dn" : ctx.partition_dn,
             "objectclass" : "crossRef",
@@ -682,7 +683,10 @@ class dc_join(object):
             "nETBIOSName" : ctx.domain_name,
             "dnsRoot": ctx.dnsdomain,
             "trustParent" : ctx.parent_partition_dn,
-            "systemFlags" : str(samba.dsdb.SYSTEM_FLAG_CR_NTDS_NC|samba.dsdb.SYSTEM_FLAG_CR_NTDS_DOMAIN)}
+            "systemFlags" : str(samba.dsdb.SYSTEM_FLAG_CR_NTDS_NC|samba.dsdb.SYSTEM_FLAG_CR_NTDS_DOMAIN),
+            "ntSecurityDescriptor" : sd_binary,
+        }
+
         if ctx.behavior_version >= samba.dsdb.DS_DOMAIN_FUNCTION_2003:
             rec["msDS-Behavior-Version"] = str(ctx.behavior_version)