CVE-2018-14628: s4:setup: set the correct nTSecurityDescriptor on the CN=Deleted Objects container

This revealed a bug in our dirsync code, so we mark
test_search_with_dirsync_deleted_objects as knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7f8b15faa7)

selftest/knownfail.d/samba4.ldap.confidential_attr

@@ -0,0 +1 @@
+^samba4.ldap.confidential_attr.python.*.__main__.*.test_search_with_dirsync_deleted_objects

source4/setup/provision.ldif

@@ -34,6 +34,7 @@ isDeleted: TRUE
 isCriticalSystemObject: TRUE
 showInAdvancedViewOnly: TRUE
 systemFlags: -1946157056
+nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR}
 
 # Computers located in "provision_computers*.ldif"
 # Users/Groups located in "provision_users*.ldif"

source4/setup/provision_configuration.ldif

@@ -14,6 +14,7 @@ description: Container for deleted objects
 isDeleted: TRUE
 isCriticalSystemObject: TRUE
 systemFlags: -1946157056
+nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR}
 
 # Extended rights
 

source4/setup/provision_dnszones_add.ldif

@@ -8,6 +8,7 @@ description: Deleted objects
 isDeleted: TRUE
 isCriticalSystemObject: TRUE
 systemFlags: -1946157056
+nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR}
 
 dn: CN=LostAndFound,${ZONE_DN}
 objectClass: top