diff options
| author | Stefan Metzmacher <metze@samba.org> | 2010-06-25 11:11:56 +0200 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2010-06-26 09:50:54 +0200 |
| commit | 712a149802e9613f105861e838a29bb226e62e02 (patch) | |
| tree | e50278f97e9c49df7a8d01bc6875485aeae3ca75 | |
| parent | 89f94a43d89c9c0238f7b1d3d294175f8482adf9 (diff) | |
| download | samba-712a149802e9613f105861e838a29bb226e62e02.tar.gz samba-712a149802e9613f105861e838a29bb226e62e02.tar.xz samba-712a149802e9613f105861e838a29bb226e62e02.zip | |
s4:provision: don't use hardcoded values for 'nextRid' and 'rIDAvailablePool'
On Windows dcpromo imports nextRid from the local SAM,
which means it's not hardcoded to 1000.
The initlal rIDAvailablePool starts at nextRid + 100.
I also found that the RID Set of the local dc
should be created via provision and not at runtime,
when the first rid is needed.
(Tested with dcpromo on w2k8r2, while disabling the DNS
check box).
After provision we should have this (assuming nextRid=1000):
rIDAllocationPool: 1100-1599
rIDPrevAllocationPool: 1100-1599
rIDUsedPool: 0
rIDNextRID: 1100
rIDAvailablePool: 1600-1073741823
Because provision sets rIDNextRid=1100, the first created account
(typically DNS related accounts) will get 1101 as rid!
metze
| -rw-r--r-- | source4/scripting/python/samba/provision.py | 14 | ||||
| -rw-r--r-- | source4/setup/provision.ldif | 2 | ||||
| -rw-r--r-- | source4/setup/provision_basedn_modify.ldif | 2 | ||||
| -rw-r--r-- | source4/setup/provision_self_join.ldif | 2 | ||||
| -rw-r--r-- | source4/setup/provision_self_join_modify.ldif | 10 |
5 files changed, 24 insertions, 6 deletions
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index f48795d3631..808a39db1f6 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -868,7 +868,7 @@ def setup_samdb_rootdse(samdb, setup_path, names): def setup_self_join(samdb, names, machinepass, dnspass, - domainsid, invocationid, setup_path, + domainsid, next_rid, invocationid, setup_path, policyguid, policyguid_dc, domainControllerFunctionality, ntdsguid): """Join a host to its own domain.""" @@ -890,6 +890,7 @@ def setup_self_join(samdb, names, "REALM": names.realm, "DOMAIN": names.domain, "DOMAINSID": str(domainsid), + "DCRID": str(next_rid), "DNSDOMAIN": names.dnsdomain, "SAMBA_VERSION_STRING": version, "NTDSGUID": ntdsguid_line, @@ -920,6 +921,8 @@ def setup_self_join(samdb, names, "NETBIOSNAME": names.netbiosname, "NTDSGUID": names.ntdsguid, "DNSPASS_B64": b64encode(dnspass), + "RIDALLOCATIONSTART": str(next_rid + 100), + "RIDALLOCATIONEND": str(next_rid + 100 + 499), }) def getpolicypath(sysvolpath, dnsdomain, guid): @@ -947,7 +950,8 @@ def setup_gpo(sysvolpath, dnsdomain, policyguid, policyguid_dc): def setup_samdb(path, setup_path, session_info, provision_backend, lp, names, logger, domainsid, domainguid, policyguid, policyguid_dc, fill, adminpass, krbtgtpass, machinepass, invocationid, dnspass, ntdsguid, - serverrole, am_rodc=False, dom_for_fun_level=None, schema=None): + serverrole, am_rodc=False, dom_for_fun_level=None, schema=None, + next_rid=1000): """Setup a complete SAM Database. :note: This will wipe the main SAM database file! @@ -1027,6 +1031,7 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, names, setup_modify_ldif(samdb, setup_path("provision_basedn_modify.ldif"), { "CREATTIME": str(int(time.time() * 1e7)), # seconds -> ticks "DOMAINSID": str(domainsid), + "NEXTRID": str(next_rid), "SCHEMADN": names.schemadn, "NETBIOSNAME": names.netbiosname, "DEFAULTSITE": names.sitename, @@ -1109,6 +1114,7 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, names, "DEFAULTSITE": names.sitename, "CONFIGDN": names.configdn, "SERVERDN": names.serverdn, + "RIDAVAILABLESTART": str(next_rid + 600), "POLICYGUID_DC": policyguid_dc }) @@ -1132,7 +1138,9 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, names, setup_self_join(samdb, names=names, invocationid=invocationid, dnspass=dnspass, machinepass=machinepass, - domainsid=domainsid, policyguid=policyguid, + domainsid=domainsid, + next_rid=next_rid, + policyguid=policyguid, policyguid_dc=policyguid_dc, setup_path=setup_path, domainControllerFunctionality=domainControllerFunctionality, diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif index 7ba3183c94f..2159aeff982 100644 --- a/source4/setup/provision.ldif +++ b/source4/setup/provision.ldif @@ -809,7 +809,7 @@ dn: CN=RID Manager$,CN=System,${DOMAINDN} objectClass: top objectClass: rIDManager systemFlags: -1946157056 -rIDAvailablePool: 1001-1073741823 +rIDAvailablePool: ${RIDAVAILABLESTART}-1073741823 isCriticalSystemObject: TRUE dn: CN=RpcServices,CN=System,${DOMAINDN} diff --git a/source4/setup/provision_basedn_modify.ldif b/source4/setup/provision_basedn_modify.ldif index 1d5345c60ec..b4f30167703 100644 --- a/source4/setup/provision_basedn_modify.ldif +++ b/source4/setup/provision_basedn_modify.ldif @@ -68,7 +68,7 @@ replace: msDS-PerUserTrustTombstonesQuota msDS-PerUserTrustTombstonesQuota: 10 - replace: nextRid -nextRid: 1000 +nextRid: ${NEXTRID} - replace: nTMixedDomain nTMixedDomain: 0 diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif index d4d06f6e631..2530a0e7889 100644 --- a/source4/setup/provision_self_join.ldif +++ b/source4/setup/provision_self_join.ldif @@ -32,7 +32,7 @@ servicePrincipalName: ldap/${DNSNAME} servicePrincipalName: ldap/${DNSNAME}/${REALM} userAccountControl: 532480 userPassword:: ${MACHINEPASS_B64} -objectSID: ${DOMAINSID}-1000 +objectSID: ${DOMAINSID}-${DCRID} # Here are missing the objects for the NTFRS subscription since we don't # support this technique yet. diff --git a/source4/setup/provision_self_join_modify.ldif b/source4/setup/provision_self_join_modify.ldif index f81a2b69c7d..c2bba888b7e 100644 --- a/source4/setup/provision_self_join_modify.ldif +++ b/source4/setup/provision_self_join_modify.ldif @@ -28,11 +28,21 @@ changetype: modify replace: interSiteTopologyGenerator interSiteTopologyGenerator: CN=NTDS Settings,${SERVERDN} +dn: CN=RID Set,CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN} +changetype: add +objectClass: rIDSet +rIDAllocationPool: ${RIDALLOCATIONSTART}-${RIDALLOCATIONEND} +rIDPreviousAllocationPool: ${RIDALLOCATIONSTART}-${RIDALLOCATIONEND} +rIDUsedPool: 0 +rIDNextRID: ${RIDALLOCATIONSTART} + dn: CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN} changetype: modify add: servicePrincipalName servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/${NTDSGUID}/${DNSDOMAIN} servicePrincipalName: ldap/${NTDSGUID}._msdcs.${DNSDOMAIN} +add: rIDSetReferences +rIDSetReferences: CN=RID Set,CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN} # NOTE: This account is SAMBA4 specific! dn: CN=dns,CN=Users,${DOMAINDN} |