r4724: Add support for Windows privileges in Samba 3.0

(based on Simo's code in trunk).  Rewritten with the
following changes:

* privilege set is based on a 32-bit mask instead of strings
  (plans are to extend this to a 64 or 128-bit mask before
   the next 3.0.11preX release).
* Remove the privilege code from the passdb API
  (replication to come later)
* Only support the minimum amount of privileges that make
  sense.
* Rewrite the domain join checks to use the SeMachineAccountPrivilege
  instead of the 'is a member of "Domain Admins"?' check that started
  all this.

Still todo:

* Utilize the SePrintOperatorPrivilege in addition to the 'printer admin'
  parameter
* Utilize the SeAddUserPrivilege for adding users and groups
* Fix some of the hard coded _lsa_*() calls
* Start work on enough of SAM replication to get privileges from one
  Samba DC to another.
* Come up with some management tool for manipultaing privileges
  instead of user manager since it is buggy when run on a 2k client
  (haven't tried xp).  Works ok on NT4.
(This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)

1 files changed, 39 insertions, 15 deletions

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 98ecd00d1c..e4793c3df3 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -493,6 +493,11 @@ void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token)
 	for (i = 0; i < token->num_sids; i++)
 		DEBUGADDC(dbg_class, dbg_lev, ("SID[%3lu]: %s\n", (unsigned long)i, 
 					       sid_to_string(sid_str, &token->user_sids[i])));
+
+	DEBUGADDC(dbg_class, dbg_lev, ("Privileges: [%d]\n", token->privileges.count));
+	for ( i=0; i<token->privileges.count; i++ ) {
+		DEBUGADDC(dbg_class, dbg_lev, ("\t%s\n", luid_to_privilege_name(&token->privileges.set[i].luid) ));
+	}
 }
 
 /****************************************************************************
@@ -583,6 +588,13 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro
 			ptoken->num_sids--;
 		}
 	}
+
+	/* add privileges assigned to this user */
+
+	privilege_set_init( &ptoken->privileges );
+
+	get_privileges_for_sids( &ptoken->privileges, ptoken->user_sids, ptoken->num_sids );
+
 	
 	debug_nt_user_token(DBGC_AUTH, 10, ptoken);
 	
@@ -1410,12 +1422,15 @@ BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_me
 
 void delete_nt_token(NT_USER_TOKEN **pptoken)
 {
-    if (*pptoken) {
-	    NT_USER_TOKEN *ptoken = *pptoken;
-	    SAFE_FREE( ptoken->user_sids );
-	    ZERO_STRUCTP(ptoken);
-    }
-    SAFE_FREE(*pptoken);
+	if (*pptoken) {
+		NT_USER_TOKEN *ptoken = *pptoken;
+
+		SAFE_FREE( ptoken->user_sids );
+		privilege_set_free( &ptoken->privileges );
+
+		ZERO_STRUCTP(ptoken);
+	}
+	SAFE_FREE(*pptoken);
 }
 
 /****************************************************************************
@@ -1429,17 +1444,26 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken)
 	if (!ptoken)
 		return NULL;
 
-    if ((token = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL)
-        return NULL;
-
-    ZERO_STRUCTP(token);
+	if ((token = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL)
+		return NULL;
 
-    if ((token->user_sids = (DOM_SID *)memdup( ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids )) == NULL) {
-        SAFE_FREE(token);
-        return NULL;
-    }
+	ZERO_STRUCTP(token);
+	
+	token->user_sids = (DOM_SID *)memdup( ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids );
+	
+	if ( !token ) {
+		SAFE_FREE(token);
+		return NULL;
+	}
 
-    token->num_sids = ptoken->num_sids;
+	token->num_sids = ptoken->num_sids;
+	
+	/* copy the privileges; don't consider failure to be critical here */
+	
+	privilege_set_init( &token->privileges);
+	if ( !dup_privilege_set( &token->privileges, &ptoken->privileges ) ) {
+		DEBUG(0,("dup_nt_token: Failure to copy PRIVILEGE_SET!.  Continuing with 0 privileges assigned.\n"));
+	}
 
 	return token;
 }