mirror of
https://github.com/samba-team/samba.git
synced 2025-01-11 05:18:09 +03:00
712a149802
On Windows dcpromo imports nextRid from the local SAM, which means it's not hardcoded to 1000. The initlal rIDAvailablePool starts at nextRid + 100. I also found that the RID Set of the local dc should be created via provision and not at runtime, when the first rid is needed. (Tested with dcpromo on w2k8r2, while disabling the DNS check box). After provision we should have this (assuming nextRid=1000): rIDAllocationPool: 1100-1599 rIDPrevAllocationPool: 1100-1599 rIDUsedPool: 0 rIDNextRID: 1100 rIDAvailablePool: 1600-1073741823 Because provision sets rIDNextRid=1100, the first created account (typically DNS related accounts) will get 1101 as rid! metze
105 lines
2.1 KiB
Plaintext
105 lines
2.1 KiB
Plaintext
###############################
|
|
# Domain Naming Context
|
|
###############################
|
|
dn: ${DOMAINDN}
|
|
changetype: modify
|
|
-
|
|
# This should be 0x0001, but the 0 byte is not allowed - therefore encoded
|
|
replace: auditingPolicy
|
|
auditingPolicy:: AAE=
|
|
-
|
|
replace: creationTime
|
|
creationTime: ${CREATTIME}
|
|
-
|
|
# "dSCorePropagationDate" should contain the provision data
|
|
replace: forceLogoff
|
|
forceLogoff: -9223372036854775808
|
|
-
|
|
# "fSMORoleOwner" filled in later
|
|
replace: gPLink
|
|
gPLink: [LDAP://CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN};0]
|
|
-
|
|
replace: isCriticalSystemObject
|
|
isCriticalSystemObject: TRUE
|
|
-
|
|
replace: lockoutDuration
|
|
lockoutDuration: -18000000000
|
|
-
|
|
replace: lockOutObservationWindow
|
|
lockOutObservationWindow: -18000000000
|
|
-
|
|
replace: lockoutThreshold
|
|
lockoutThreshold: 0
|
|
-
|
|
# "masteredBy" filled in later
|
|
replace: maxPwdAge
|
|
maxPwdAge: -36288000000000
|
|
-
|
|
# "minPwdAge" is "0" in order to let the password change tests pass
|
|
replace: minPwdAge
|
|
minPwdAge: 0
|
|
-
|
|
replace: minPwdLength
|
|
minPwdLength: 7
|
|
-
|
|
replace: modifiedCount
|
|
modifiedCount: 1
|
|
-
|
|
replace: modifiedCountAtLastProm
|
|
modifiedCountAtLastProm: 0
|
|
-
|
|
replace: msDS-AllUsersTrustQuota
|
|
msDS-AllUsersTrustQuota: 1000
|
|
-
|
|
replace: msDS-Behavior-Version
|
|
msDS-Behavior-Version: ${DOMAIN_FUNCTIONALITY}
|
|
-
|
|
replace: ms-DS-MachineAccountQuota
|
|
ms-DS-MachineAccountQuota: 10
|
|
-
|
|
# "msDs-masteredBy" filled in later
|
|
replace: msDS-NcType
|
|
msDS-NcType: 0
|
|
-
|
|
replace: msDS-PerUserTrustQuota
|
|
msDS-PerUserTrustQuota: 1
|
|
-
|
|
replace: msDS-PerUserTrustTombstonesQuota
|
|
msDS-PerUserTrustTombstonesQuota: 10
|
|
-
|
|
replace: nextRid
|
|
nextRid: ${NEXTRID}
|
|
-
|
|
replace: nTMixedDomain
|
|
nTMixedDomain: 0
|
|
-
|
|
replace: objectSid
|
|
objectSid: ${DOMAINSID}
|
|
-
|
|
# This does only exist in SAMBA
|
|
replace: oEMInformation
|
|
oEMInformation: Provisioned by SAMBA ${SAMBA_VERSION_STRING}
|
|
-
|
|
replace: pwdProperties
|
|
pwdProperties: 1
|
|
-
|
|
replace: pwdHistoryLength
|
|
pwdHistoryLength: 24
|
|
-
|
|
replace: rIDManagerReference
|
|
rIDManagerReference: CN=RID Manager$,CN=System,${DOMAINDN}
|
|
-
|
|
replace: serverState
|
|
serverState: 1
|
|
-
|
|
replace: subRefs
|
|
subRefs: ${CONFIGDN}
|
|
-
|
|
replace: systemFlags
|
|
systemFlags: -1946157056
|
|
-
|
|
replace: uASCompat
|
|
uASCompat: 1
|
|
-
|
|
|