1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-25 06:04:04 +03:00
samba-mirror/source4/setup/provision_self_join.ldif
Douglas Bagnall 0a555cf097 CVE-2020-25722 s4/provision: add host/ SPNs at the start
There are two reasons for this. Firstly, leaving SPNs unclaimed is
dangerous, as someone else could grab them first. Secondly, in some
circumstances (self join) we try to add a DNS/ SPN a little bit later
in provision. Under the rules we are introducing for CVE-2020-25722,
this will make our later attempts to add HOST/ fail.

This causes a few errors in samba4.blackbox.dbcheck.* tests, which
assert that revivified old domains match stored reference versions.
Now they don't, because they have servicePrincipalNames.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00

35 lines
1.2 KiB
Plaintext

# Accounts for selfjoin (joins DC to itself)
# Object under "Domain Controllers"
dn: CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
accountExpires: 9223372036854775807
dNSHostName: ${DNSNAME}
# "MSDFSR-ComputerReferenceBL" doesn't exist since we still miss DFSR support
# "isCritcalSystemObject" is now filled in by the samldb LDB module
localPolicyFlags: 0
operatingSystem: Samba
operatingSystemVersion: ${SAMBA_VERSION_STRING}
sAMAccountName: ${NETBIOSNAME}$
userAccountControl: 532480
clearTextPassword:: ${MACHINEPASS_B64}
objectSid: ${DOMAINSID}-${DCRID}
# While some "servicePrincipalName" updates might be handled by the
# "samba_spnupdate" script, we need to get the basics in here before
# we add any others.
servicePrincipalName: HOST/${DNSNAME}
servicePrincipalName: HOST/${NETBIOSNAME}
servicePrincipalName: HOST/${DNSNAME}/${DNSNAME}
dn: CN=RID Set,CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
objectClass: rIDSet
rIDAllocationPool: ${RIDALLOCATIONSTART}-${RIDALLOCATIONEND}
rIDPreviousAllocationPool: ${RIDALLOCATIONSTART}-${RIDALLOCATIONEND}
rIDUsedPool: 0
rIDNextRID: ${RIDALLOCATIONSTART}