s4:provision: don't use hardcoded values for 'nextRid' and 'rIDAvailablePool'

On Windows dcpromo imports nextRid from the local SAM,
which means it's not hardcoded to 1000.

The initlal rIDAvailablePool starts at nextRid + 100.

I also found that the RID Set of the local dc
should be created via provision and not at runtime,
when the first rid is needed.
(Tested with dcpromo on w2k8r2, while disabling the DNS
 check box).

After provision we should have this (assuming nextRid=1000):

rIDAllocationPool: 1100-1599
rIDPrevAllocationPool: 1100-1599
rIDUsedPool: 0
rIDNextRID: 1100

rIDAvailablePool: 1600-1073741823

Because provision sets rIDNextRid=1100, the first created account
(typically DNS related accounts) will get 1101 as rid!

metze

source4/scripting/python/samba/provision.py

@@ -868,7 +868,7 @@ def setup_samdb_rootdse(samdb, setup_path, names):
 
 def setup_self_join(samdb, names,
                     machinepass, dnspass, 
-                    domainsid, invocationid, setup_path,
+                    domainsid, next_rid, invocationid, setup_path,
                     policyguid, policyguid_dc, domainControllerFunctionality,
                     ntdsguid):
     """Join a host to its own domain."""
@@ -890,6 +890,7 @@ def setup_self_join(samdb, names,
               "REALM": names.realm,
               "DOMAIN": names.domain,
               "DOMAINSID": str(domainsid),
+              "DCRID": str(next_rid),
               "DNSDOMAIN": names.dnsdomain,
               "SAMBA_VERSION_STRING": version,
               "NTDSGUID": ntdsguid_line,
@@ -920,6 +921,8 @@ def setup_self_join(samdb, names,
               "NETBIOSNAME": names.netbiosname,
               "NTDSGUID": names.ntdsguid,
               "DNSPASS_B64": b64encode(dnspass),
+              "RIDALLOCATIONSTART": str(next_rid + 100),
+              "RIDALLOCATIONEND": str(next_rid + 100 + 499),
               })
 
 def getpolicypath(sysvolpath, dnsdomain, guid):
@@ -947,7 +950,8 @@ def setup_gpo(sysvolpath, dnsdomain, policyguid, policyguid_dc):
 def setup_samdb(path, setup_path, session_info, provision_backend, lp, names,
         logger, domainsid, domainguid, policyguid, policyguid_dc, fill,
         adminpass, krbtgtpass, machinepass, invocationid, dnspass, ntdsguid,
-        serverrole, am_rodc=False, dom_for_fun_level=None, schema=None):
+        serverrole, am_rodc=False, dom_for_fun_level=None, schema=None,
+        next_rid=1000):
     """Setup a complete SAM Database.
     
     :note: This will wipe the main SAM database file!
@@ -1027,6 +1031,7 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, names,
         setup_modify_ldif(samdb, setup_path("provision_basedn_modify.ldif"), {
             "CREATTIME": str(int(time.time() * 1e7)), # seconds -> ticks
             "DOMAINSID": str(domainsid),
+            "NEXTRID": str(next_rid),
             "SCHEMADN": names.schemadn, 
             "NETBIOSNAME": names.netbiosname,
             "DEFAULTSITE": names.sitename,
@@ -1109,6 +1114,7 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, names,
             "DEFAULTSITE": names.sitename,
             "CONFIGDN": names.configdn,
             "SERVERDN": names.serverdn,
+            "RIDAVAILABLESTART": str(next_rid + 600),
             "POLICYGUID_DC": policyguid_dc
             })
 
@@ -1132,7 +1138,9 @@ def setup_samdb(path, setup_path, session_info, provision_backend, lp, names,
             setup_self_join(samdb, names=names, invocationid=invocationid,
                             dnspass=dnspass,
                             machinepass=machinepass,
-                            domainsid=domainsid, policyguid=policyguid,
+                            domainsid=domainsid,
+                            next_rid=next_rid,
+                            policyguid=policyguid,
                             policyguid_dc=policyguid_dc,
                             setup_path=setup_path,
                             domainControllerFunctionality=domainControllerFunctionality,

source4/setup/provision.ldif

@@ -809,7 +809,7 @@ dn: CN=RID Manager$,CN=System,${DOMAINDN}
 objectClass: top
 objectClass: rIDManager
 systemFlags: -1946157056
-rIDAvailablePool: 1001-1073741823
+rIDAvailablePool: ${RIDAVAILABLESTART}-1073741823
 isCriticalSystemObject: TRUE
 
 dn: CN=RpcServices,CN=System,${DOMAINDN}

source4/setup/provision_basedn_modify.ldif

@@ -68,7 +68,7 @@ replace: msDS-PerUserTrustTombstonesQuota
 msDS-PerUserTrustTombstonesQuota: 10
 -
 replace: nextRid
-nextRid: 1000
+nextRid: ${NEXTRID}
 -
 replace: nTMixedDomain
 nTMixedDomain: 0

source4/setup/provision_self_join.ldif

@@ -32,7 +32,7 @@ servicePrincipalName: ldap/${DNSNAME}
 servicePrincipalName: ldap/${DNSNAME}/${REALM}
 userAccountControl: 532480
 userPassword:: ${MACHINEPASS_B64}
-objectSID: ${DOMAINSID}-1000
+objectSID: ${DOMAINSID}-${DCRID}
 
 # Here are missing the objects for the NTFRS subscription since we don't
 # support this technique yet.

source4/setup/provision_self_join_modify.ldif

@@ -28,11 +28,21 @@ changetype: modify
 replace: interSiteTopologyGenerator
 interSiteTopologyGenerator: CN=NTDS Settings,${SERVERDN}
 
+dn: CN=RID Set,CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
+changetype: add
+objectClass: rIDSet
+rIDAllocationPool: ${RIDALLOCATIONSTART}-${RIDALLOCATIONEND}
+rIDPreviousAllocationPool: ${RIDALLOCATIONSTART}-${RIDALLOCATIONEND}
+rIDUsedPool: 0
+rIDNextRID: ${RIDALLOCATIONSTART}
+
 dn: CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
 changetype: modify
 add: servicePrincipalName
 servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/${NTDSGUID}/${DNSDOMAIN}
 servicePrincipalName: ldap/${NTDSGUID}._msdcs.${DNSDOMAIN}
+add: rIDSetReferences
+rIDSetReferences: CN=RID Set,CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
 
 # NOTE: This account is SAMBA4 specific!
 dn: CN=dns,CN=Users,${DOMAINDN}