CVE-2018-14628: python:provision: make DELETEDOBJECTS_DESCRIPTOR available in the ldif files

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python/samba/provision/__init__.py

@@ -81,6 +81,7 @@ from samba.provision.backend import (
     LDBBackend,
 )
 from samba.descriptor import (
+    get_deletedobjects_descriptor,
     get_config_descriptor,
     get_config_partitions_descriptor,
     get_config_sites_descriptor,
@@ -1450,6 +1451,8 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
     msg["subRefs"] = ldb.MessageElement(names.configdn, ldb.FLAG_MOD_ADD,
                                         "subRefs")
 
+    deletedobjects_descr = b64encode(get_deletedobjects_descriptor(names.domainsid)).decode('utf8')
+
     samdb.invocation_id = invocationid
 
     # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
@@ -1481,6 +1484,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
                 "FOREST_FUNCTIONALITY": str(forestFunctionality),
                 "DOMAIN_FUNCTIONALITY": str(domainFunctionality),
                 "NTDSQUOTAS_DESCRIPTOR": ntdsquotas_descr,
+                "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr,
                 "LOSTANDFOUND_DESCRIPTOR": protected1wd_descr,
                 "SERVICES_DESCRIPTOR": protected1_descr,
                 "PHYSICALLOCATIONS_DESCRIPTOR": protected1wd_descr,
@@ -1545,6 +1549,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
         "RIDAVAILABLESTART": str(next_rid + 600),
         "POLICYGUID_DC": policyguid_dc,
         "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc,
+        "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr,
         "LOSTANDFOUND_DESCRIPTOR": lostandfound_desc,
         "SYSTEM_DESCRIPTOR": system_desc,
         "BUILTIN_DESCRIPTOR": builtin_desc,

python/samba/provision/sambadns.py

@@ -40,6 +40,7 @@ from samba.dsdb import (
     DS_GUID_USERS_CONTAINER
 )
 from samba.descriptor import (
+    get_deletedobjects_descriptor,
     get_domain_descriptor,
     get_domain_delete_protected1_descriptor,
     get_domain_delete_protected2_descriptor,
@@ -252,6 +253,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
     domainzone_dn = "DC=DomainDnsZones,%s" % domaindn
     forestzone_dn = "DC=ForestDnsZones,%s" % forestdn
     descriptor = get_dns_partition_descriptor(domainsid)
+    deletedobjects_desc = get_deletedobjects_descriptor(domainsid)
 
     setup_add_ldif(samdb, setup_path("provision_dnszones_partitions.ldif"), {
         "ZONE_DN": domainzone_dn,
@@ -274,6 +276,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
         "ZONE_DNS": domainzone_dns,
         "CONFIGDN": configdn,
         "SERVERDN": serverdn,
+        "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8'),
         "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'),
         "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'),
     })
@@ -293,6 +296,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
             "ZONE_DNS": forestzone_dns,
             "CONFIGDN": configdn,
             "SERVERDN": serverdn,
+            "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8'),
             "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'),
             "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'),
         })