From 3cddb6ad07e44a404480fece8973b702618c1c33 Mon Sep 17 00:00:00 2001
From: Garming Sam <garming@catalyst.net.nz>
Date: Thu, 24 Aug 2017 13:59:22 +1200
Subject: [PATCH] 2008R2: Missing operation (75, 76) for ActiveDirectoryUpdate
 version 5 (FL)

Operation 75 {5e1574f6-55df-493e-a6-71-aa-ef-fc-a6-a1-00}

 - Create the CN=Managed Service Accounts object

Operation 76 {d262aae8-41f7-48ed-9f-35-56-bb-b6-77-57-3d}

 - Add otherWellKnownObject link for CN=Managed Service Accounts

Referenced in the page 'Windows Server 2008R2: Domain-Wide Updates':
https://technet.microsoft.com/en-us/library/dd378973(v=ws.10).aspx

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 python/samba/descriptor.py                     | 11 +++++++++++
 python/samba/provision/__init__.py             |  8 ++++++--
 selftest/knownfail.d/functionalprep            |  1 +
 source4/setup/provision.ldif                   |  8 ++++++++
 source4/setup/provision_basedn_references.ldif |  8 ++++++++
 5 files changed, 34 insertions(+), 2 deletions(-)
 create mode 100644 selftest/knownfail.d/functionalprep

diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py
index 86ea869b0ed..cf797cc3e94 100644
--- a/python/samba/descriptor.py
+++ b/python/samba/descriptor.py
@@ -268,6 +268,17 @@ def get_domain_users_descriptor(domain_sid, name_map={}):
     "S:"
     return sddl2binary(sddl, domain_sid, name_map)
 
+def get_managed_service_accounts_descriptor(domain_sid, name_map={}):
+    sddl = "D:" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)" \
+    "(A;;RPWPCRCCDCLCLORCWOWDSW;;;DA)" \
+    "(OA;;CCDC;ce206244-5827-4a86-ba1c-1c0c386c1b64;;AO)" \
+    "(OA;;CCDC;bf967aba-0de6-11d0-a285-00aa003049e2;;AO)" \
+    "(OA;;CCDC;bf967a9c-0de6-11d0-a285-00aa003049e2;;AO)" \
+    "(A;;RPLCLORC;;;AU)" \
+    "S:"
+    return sddl2binary(sddl, domain_sid, name_map)
+
 def get_domain_controllers_descriptor(domain_sid, name_map={}):
     sddl = "D:" \
     "(A;;RPLCLORC;;;AU)" \
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index cc654f32a88..2a926bbecf2 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -100,6 +100,7 @@ from samba.descriptor import (
     get_dns_partition_descriptor,
     get_dns_forest_microsoft_dns_descriptor,
     get_dns_domain_microsoft_dns_descriptor,
+    get_managed_service_accounts_descriptor,
     )
 from samba.provision.common import (
     setup_path,
@@ -1479,6 +1480,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
 
     # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
     if fill == FILL_FULL:
+        managedservice_descr = b64encode(get_managed_service_accounts_descriptor(names.domainsid))
         setup_modify_ldif(samdb,
                           setup_path("provision_configuration_references.ldif"), {
                 "CONFIGDN": names.configdn,
@@ -1493,8 +1495,10 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
 
     if fill == FILL_FULL or fill == FILL_SUBDOMAIN:
         setup_modify_ldif(samdb,
-                          setup_path("provision_basedn_references.ldif"),
-                          {"DOMAINDN": names.domaindn})
+                          setup_path("provision_basedn_references.ldif"), {
+                              "DOMAINDN": names.domaindn,
+                              "MANAGEDSERVICE_DESCRIPTOR": managedservice_descr
+                          })
 
         logger.info("Setting up sam.ldb users and groups")
         setup_add_ldif(samdb, setup_path("provision_users.ldif"), {
diff --git a/selftest/knownfail.d/functionalprep b/selftest/knownfail.d/functionalprep
new file mode 100644
index 00000000000..6e376dd8c07
--- /dev/null
+++ b/selftest/knownfail.d/functionalprep
@@ -0,0 +1 @@
+^samba4.blackbox.upgradeprovision.release-4-0-0.ldapcmp_full_sd
diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif
index 61d735cb2c9..c17710fb6a2 100644
--- a/source4/setup/provision.ldif
+++ b/source4/setup/provision.ldif
@@ -464,6 +464,14 @@ objectClass: top
 objectClass: container
 revision: 9
 
+dn: CN=5e1574f6-55df-493e-a671-aaeffca6a100,CN=Operations,CN=DomainUpdates,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: container
+
+dn: CN=d262aae8-41f7-48ed-9f35-56bbb677573d,CN=Operations,CN=DomainUpdates,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: container
+
 # End domain updates
 
 dn: CN=File Replication Service,CN=System,${DOMAINDN}
diff --git a/source4/setup/provision_basedn_references.ldif b/source4/setup/provision_basedn_references.ldif
index 188982aee19..7eda88dd604 100644
--- a/source4/setup/provision_basedn_references.ldif
+++ b/source4/setup/provision_basedn_references.ldif
@@ -1,6 +1,13 @@
 ###############################
 # Domain Naming Context
 ###############################
+dn: CN=Managed Service Accounts,${DOMAINDN}
+changetype: add
+objectClass: container
+description: Default container for managed service accounts
+showInAdvancedViewOnly: FALSE
+nTSecurityDescriptor:: ${MANAGEDSERVICE_DESCRIPTOR}
+
 dn: ${DOMAINDN}
 changetype: modify
 -
@@ -19,4 +26,5 @@ wellKnownObjects: B:32:ab1d30f3768811d1aded00c04fd8d5cd:CN=System,${DOMAINDN}
 wellKnownObjects: B:32:a361b2ffffd211d1aa4b00c04fd7d83a:OU=Domain Controllers,${DOMAINDN}
 wellKnownObjects: B:32:aa312825768811d1aded00c04fd8d5cd:CN=Computers,${DOMAINDN}
 wellKnownObjects: B:32:a9d1ca15768811d1aded00c04fd8d5cd:CN=Users,${DOMAINDN}
+otherWellKnownObjects: B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Service Accounts,${DOMAINDN}
 -