mirror of
https://github.com/samba-team/samba.git
synced 2025-02-23 09:57:40 +03:00
s4:group policies - add the domain controller group policy
This patches fixes the last difference between s4 and Windows Server regarding group policy objects: we hadn't the domain controller policy. - Adds the domain controller policy as it is found in the "original" AD - Adds also the right version number in the GPT.INI file for the domain group policy (was missing)
This commit is contained in:
Matthias Dieter Wallnöfer
parent
5ad756fad3
commit
10833f641a
@ -766,7 +766,7 @@ def setup_samdb_rootdse(samdb, setup_path, names):
|
||||
def setup_self_join(samdb, names,
|
||||
machinepass, dnspass,
|
||||
domainsid, invocationid, setup_path,
|
||||
policyguid, domainControllerFunctionality):
|
||||
policyguid, policyguid_dc, domainControllerFunctionality):
|
||||
"""Join a host to its own domain."""
|
||||
assert isinstance(invocationid, str)
|
||||
setup_add_ldif(samdb, setup_path("provision_self_join.ldif"), {
|
||||
@ -788,6 +788,7 @@ def setup_self_join(samdb, names,
|
||||
|
||||
setup_add_ldif(samdb, setup_path("provision_group_policy.ldif"), {
|
||||
"POLICYGUID": policyguid,
|
||||
"POLICYGUID_DC": policyguid_dc,
|
||||
"DNSDOMAIN": names.dnsdomain,
|
||||
"DOMAINSID": str(domainsid),
|
||||
"DOMAINDN": names.domaindn})
|
||||
@ -814,7 +815,7 @@ def setup_self_join(samdb, names,
|
||||
|
||||
def setup_samdb(path, setup_path, session_info, credentials, lp,
|
||||
names, message,
|
||||
domainsid, domainguid, policyguid,
|
||||
domainsid, domainguid, policyguid, policyguid_dc,
|
||||
fill, adminpass, krbtgtpass,
|
||||
machinepass, invocationid, dnspass,
|
||||
serverrole, schema=None, ldap_backend=None):
|
||||
@ -969,7 +970,8 @@ def setup_samdb(path, setup_path, session_info, credentials, lp,
|
||||
"NETBIOSNAME": names.netbiosname,
|
||||
"DEFAULTSITE": names.sitename,
|
||||
"CONFIGDN": names.configdn,
|
||||
"SERVERDN": names.serverdn
|
||||
"SERVERDN": names.serverdn,
|
||||
"POLICYGUID_DC": policyguid_dc
|
||||
})
|
||||
|
||||
if fill == FILL_FULL:
|
||||
@ -988,6 +990,7 @@ def setup_samdb(path, setup_path, session_info, credentials, lp,
|
||||
dnspass=dnspass,
|
||||
machinepass=machinepass,
|
||||
domainsid=domainsid, policyguid=policyguid,
|
||||
policyguid_dc=policyguid_dc,
|
||||
setup_path=setup_path,
|
||||
domainControllerFunctionality=domainControllerFunctionality)
|
||||
# add the NTDSGUID based SPNs
|
||||
@ -1017,7 +1020,8 @@ def provision(setup_dir, message, session_info,
|
||||
domain=None, hostname=None, hostip=None, hostip6=None,
|
||||
domainsid=None, adminpass=None, ldapadminpass=None,
|
||||
krbtgtpass=None, domainguid=None,
|
||||
policyguid=None, invocationid=None, machinepass=None,
|
||||
policyguid=None, policyguid_dc=None, invocationid=None,
|
||||
machinepass=None,
|
||||
dnspass=None, root=None, nobody=None, users=None,
|
||||
wheel=None, backup=None, aci=None, serverrole=None,
|
||||
ldap_backend_extra_port=None, ldap_backend_type=None,
|
||||
@ -1038,6 +1042,8 @@ def provision(setup_dir, message, session_info,
|
||||
|
||||
if policyguid is None:
|
||||
policyguid = str(uuid.uuid4())
|
||||
if policyguid_dc is None:
|
||||
policyguid_dc = str(uuid.uuid4())
|
||||
if adminpass is None:
|
||||
adminpass = glue.generate_random_str(12)
|
||||
if krbtgtpass is None:
|
||||
@ -1157,7 +1163,8 @@ def provision(setup_dir, message, session_info,
|
||||
credentials=credentials, lp=lp, names=names,
|
||||
message=message,
|
||||
domainsid=domainsid,
|
||||
schema=schema, domainguid=domainguid, policyguid=policyguid,
|
||||
schema=schema, domainguid=domainguid,
|
||||
policyguid=policyguid, policyguid_dc=policyguid_dc,
|
||||
fill=samdb_fill,
|
||||
adminpass=adminpass, krbtgtpass=krbtgtpass,
|
||||
invocationid=invocationid,
|
||||
@ -1177,12 +1184,24 @@ def provision(setup_dir, message, session_info,
|
||||
(paths.smbconf, setup_path("provision.smb.conf.dc")))
|
||||
assert(paths.sysvol is not None)
|
||||
|
||||
policy_path = os.path.join(paths.sysvol, names.dnsdomain, "Policies",
|
||||
# Set up group policies (domain policy and domain controller policy)
|
||||
|
||||
policy_path = os.path.join(paths.sysvol, names.dnsdomain, "Policies",
|
||||
"{" + policyguid + "}")
|
||||
os.makedirs(policy_path, 0755)
|
||||
open(os.path.join(policy_path, "GPT.INI"), 'w').write("")
|
||||
open(os.path.join(policy_path, "GPT.INI"), 'w').write(
|
||||
"[General]\r\nVersion=65544")
|
||||
os.makedirs(os.path.join(policy_path, "Machine"), 0755)
|
||||
os.makedirs(os.path.join(policy_path, "User"), 0755)
|
||||
|
||||
policy_path_dc = os.path.join(paths.sysvol, names.dnsdomain, "Policies",
|
||||
"{" + policyguid_dc + "}")
|
||||
os.makedirs(policy_path_dc, 0755)
|
||||
open(os.path.join(policy_path_dc, "GPT.INI"), 'w').write(
|
||||
"[General]\r\nVersion=2")
|
||||
os.makedirs(os.path.join(policy_path_dc, "Machine"), 0755)
|
||||
os.makedirs(os.path.join(policy_path_dc, "User"), 0755)
|
||||
|
||||
if not os.path.isdir(paths.netlogon):
|
||||
os.makedirs(paths.netlogon, 0755)
|
||||
|
||||
@ -1316,7 +1335,8 @@ def provision_become_dc(setup_dir=None,
|
||||
configdn=None, serverdn=None,
|
||||
domain=None, hostname=None, domainsid=None,
|
||||
adminpass=None, krbtgtpass=None, domainguid=None,
|
||||
policyguid=None, invocationid=None, machinepass=None,
|
||||
policyguid=None, policyguid_dc=None, invocationid=None,
|
||||
machinepass=None,
|
||||
dnspass=None, root=None, nobody=None, users=None,
|
||||
wheel=None, backup=None, serverrole=None,
|
||||
ldap_backend=None, ldap_backend_type=None,
|
||||
|
||||
@ -53,7 +53,9 @@ parser.add_option("--domain-guid", type="string", metavar="GUID",
|
||||
parser.add_option("--domain-sid", type="string", metavar="SID",
|
||||
help="set domainsid (otherwise random)")
|
||||
parser.add_option("--policy-guid", type="string", metavar="GUID",
|
||||
help="set policy guid")
|
||||
help="set guid for domain policy")
|
||||
parser.add_option("--policy-guid-dc", type="string", metavar="GUID",
|
||||
help="set guid for domain controller policy")
|
||||
parser.add_option("--invocationid", type="string", metavar="GUID",
|
||||
help="set invocationid (otherwise random)")
|
||||
parser.add_option("--host-name", type="string", metavar="HOSTNAME",
|
||||
@ -181,7 +183,8 @@ provision(setup_dir, message,
|
||||
session, creds, smbconf=smbconf, targetdir=opts.targetdir,
|
||||
samdb_fill=samdb_fill, realm=opts.realm, domain=opts.domain,
|
||||
domainguid=opts.domain_guid, domainsid=opts.domain_sid,
|
||||
policyguid=opts.policy_guid, hostname=opts.host_name,
|
||||
policyguid=opts.policy_guid, policyguid_dc=opts.policy_guid_dc,
|
||||
hostname=opts.host_name,
|
||||
hostip=opts.host_ip, hostip6=opts.host_ip6,
|
||||
invocationid=opts.invocationid, adminpass=opts.adminpass,
|
||||
krbtgtpass=opts.krbtgtpass, machinepass=opts.machinepass,
|
||||
|
||||
@ -34,6 +34,7 @@ description: Default container for domain controllers
|
||||
systemFlags: -1946157056
|
||||
isCriticalSystemObject: TRUE
|
||||
showInAdvancedViewOnly: FALSE
|
||||
gPLink: [LDAP://CN={${POLICYGUID_DC}},CN=Policies,CN=System,${DOMAINDN};0]
|
||||
|
||||
# Joined DC located in "provision_self_join.ldif"
|
||||
|
||||
|
||||
@ -5,7 +5,7 @@ objectClass: groupPolicyContainer
|
||||
displayName: Default Domain Policy
|
||||
gPCFunctionalityVersion: 2
|
||||
gPCFileSysPath: \\${DNSDOMAIN}\sysvol\${DNSDOMAIN}\Policies\{${POLICYGUID}}
|
||||
versionNumber: 65543
|
||||
versionNumber: 65544
|
||||
flags: 0
|
||||
gPCMachineExtensionNames: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-248
|
||||
8-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4
|
||||
@ -26,3 +26,28 @@ dn: CN=Machine,CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN}
|
||||
objectClass: top
|
||||
objectClass: container
|
||||
systemFlags: -1946157056
|
||||
|
||||
dn: CN={${POLICYGUID_DC}},CN=Policies,CN=System,${DOMAINDN}
|
||||
objectClass: top
|
||||
objectClass: container
|
||||
objectClass: groupPolicyContainer
|
||||
displayName: Default Domain Controllers Policy
|
||||
gPCFunctionalityVersion: 2
|
||||
gPCFileSysPath: \\${DNSDOMAIN}\sysvol\${DNSDOMAIN}\Policies\{${POLICYGUID_DC}}
|
||||
versionNumber: 2
|
||||
flags: 0
|
||||
gPCMachineExtensionNames: [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4
|
||||
FB-11D0-A0D0-00A0C90F574B}]
|
||||
nTSecurityDescriptor: O:${DOMAINSID}-512G:${DOMAINSID}-512D:PAI(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-512)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-519)(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-512)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;RPLCLORC;;;ED)S:AI(OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
|
||||
systemFlags: -1946157056
|
||||
|
||||
dn: CN=User,CN={${POLICYGUID_DC}},CN=Policies,CN=System,${DOMAINDN}
|
||||
objectClass: top
|
||||
objectClass: container
|
||||
systemFlags: -1946157056
|
||||
|
||||
dn: CN=Machine,CN={${POLICYGUID_DC}},CN=Policies,CN=System,${DOMAINDN}
|
||||
objectClass: top
|
||||
objectClass: container
|
||||
systemFlags: -1946157056
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user