diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index e39a6c45ae2..c7fda92f5e1 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -1594,7 +1594,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths, invocationid=None, machinepass=None, ntdsguid=None, dns_backend=None, dnspass=None, serverrole=None, dom_for_fun_level=None, - am_rodc=False, lp=None, use_ntvfs=False): + am_rodc=False, lp=None, use_ntvfs=False, skip_sysvolacl=True): # create/adapt the group policy GUIDs # Default GUID for default policy are described at # "How Core Group Policy Works" @@ -1631,8 +1631,9 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths, # policy) create_default_gpo(paths.sysvol, names.dnsdomain, policyguid, policyguid_dc) - setsysvolacl(samdb, paths.netlogon, paths.sysvol, paths.root_uid, paths.wheel_gid, - domainsid, names.dnsdomain, names.domaindn, lp, use_ntvfs) + if not skip_sysvolacl: + setsysvolacl(samdb, paths.netlogon, paths.sysvol, paths.root_uid, paths.wheel_gid, + domainsid, names.dnsdomain, names.domaindn, lp, use_ntvfs) secretsdb_self_join(secrets_ldb, domain=names.domain, realm=names.realm, dnsdomain=names.dnsdomain, @@ -1766,7 +1767,8 @@ def provision(logger, session_info, credentials, smbconf=None, ol_mmr_urls=None, ol_olc=None, slapd_path="/bin/false", useeadb=False, am_rodc=False, lp=None, use_ntvfs=False, - use_rfc2307=False, maxuid=None, maxgid=None): + use_rfc2307=False, maxuid=None, maxgid=None, + skip_sysvolacl=True): """Provision samba4 :note: caution, this wipes all existing data! @@ -2014,7 +2016,8 @@ def provision(logger, session_info, credentials, smbconf=None, ntdsguid=ntdsguid, dns_backend=dns_backend, dnspass=dnspass, serverrole=serverrole, dom_for_fun_level=dom_for_fun_level, am_rodc=am_rodc, - lp=lp, use_ntvfs=use_ntvfs) + lp=lp, use_ntvfs=use_ntvfs, + skip_sysvolacl=skip_sysvolacl) create_krb5_conf(paths.krb5conf, dnsdomain=names.dnsdomain, hostname=names.hostname, diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py index 10aa0ec6b75..19a42c786aa 100644 --- a/source4/scripting/python/samba/upgrade.py +++ b/source4/scripting/python/samba/upgrade.py @@ -26,7 +26,7 @@ import pwd from samba import Ldb, registry from samba.param import LoadParm -from samba.provision import provision, FILL_FULL, ProvisioningError +from samba.provision import provision, FILL_FULL, ProvisioningError, setsysvolacl from samba.samba3 import passdb from samba.samba3 import param as s3param from samba.dcerpc import lsa, samr, security @@ -828,7 +828,7 @@ Please fix this account before attempting to upgrade again hostname=netbiosname.lower(), machinepass=machinepass, serverrole=serverrole, samdb_fill=FILL_FULL, useeadb=useeadb, dns_backend=dns_backend, use_rfc2307=True, - use_ntvfs=use_ntvfs) + use_ntvfs=use_ntvfs, skip_sysvolacl=True) result.report_logger(logger) # Import WINS database @@ -902,5 +902,9 @@ Please fix this account before attempting to upgrade again s4_passdb.update_sam_account(admin_userdata) logger.info("Administrator password has been set to password of user '%s'", admin_user) + if result.server_role == "active directory domain controller": + setsysvolacl(result.samdb, result.paths.netlogon, result.paths.sysvol, result.paths.root_uid, result.paths.wheel_gid, + security.dom_sid(result.domainsid), result.names.dnsdomain, result.names.domaindn, result.lp, use_ntvfs) + # FIXME: import_registry(registry.Registry(), samba3.get_registry()) # FIXME: shares