r7995: * privileges are local except when they're *not*

  printmig.exe assumes that the LUID of the SeBackupPrivlege
  on the target server matches the LUID of the privilege
  on the local client.  Even though an LUID is never guaranteed
  to be the same across reboots.  How *awful*!  My cat could
  write better code! (more on my cat later....)

* Set the privelege LUID in the global PRIVS[] array

* Rename RegCreateKey() to RegCreateKeyEx() to better match MSDN

* Rename the unknown field in RegCreateKeyEx() to disposition
  (guess according to MSDN)

* Add the capability to define REG_TDB_ONLY for using the reg_db.c
  functions and stress the RegXXX() rpc functions.
(This used to be commit 0d6352da4800aabc04dfd7c65a6afe6af7cd2d4b)

1 files changed, 64 insertions, 60 deletions

diff --git a/source3/lib/privileges.c b/source3/lib/privileges.c
index ae98d8940f..30db2fc2bb 100644
--- a/source3/lib/privileges.c
+++ b/source3/lib/privileges.c
@@ -25,8 +25,6 @@
 
 #define PRIVPREFIX              "PRIV_"
 
-#define GENERATE_LUID_LOW(x)	(x)+1;
-
 static const SE_PRIV se_priv_all  = SE_ALL_PRIVS;
 static const SE_PRIV se_priv_end  = SE_END;
 
@@ -43,60 +41,65 @@ const SE_PRIV se_restore         = SE_RESTORE;
 
 /********************************************************************
  This is a list of privileges reported by a WIndows 2000 SP4 AD DC
- just for reference purposes:
-
-            SeCreateTokenPrivilege  Create a token object
-     SeAssignPrimaryTokenPrivilege  Replace a process level token
-             SeLockMemoryPrivilege  Lock pages in memory
-          SeIncreaseQuotaPrivilege  Increase quotas
-         SeMachineAccountPrivilege  Add workstations to domain
-                    SeTcbPrivilege  Act as part of the operating system
-               SeSecurityPrivilege  Manage auditing and security log
-          SeTakeOwnershipPrivilege  Take ownership of files or other objects
-             SeLoadDriverPrivilege  Load and unload device drivers
-          SeSystemProfilePrivilege  Profile system performance
-             SeSystemtimePrivilege  Change the system time
-   SeProfileSingleProcessPrivilege  Profile single process
-   SeIncreaseBasePriorityPrivilege  Increase scheduling priority
-         SeCreatePagefilePrivilege  Create a pagefile
-        SeCreatePermanentPrivilege  Create permanent shared objects
-                 SeBackupPrivilege  Back up files and directories
-                SeRestorePrivilege  Restore files and directories
-               SeShutdownPrivilege  Shut down the system
-                  SeDebugPrivilege  Debug programs
-                  SeAuditPrivilege  Generate security audits
-      SeSystemEnvironmentPrivilege  Modify firmware environment values
-           SeChangeNotifyPrivilege  Bypass traverse checking
-         SeRemoteShutdownPrivilege  Force shutdown from a remote system
-                 SeUndockPrivilege  Remove computer from docking station
-              SeSyncAgentPrivilege  Synchronize directory service data
-       SeEnableDelegationPrivilege  Enable computer and user accounts to be trusted for delegation
-           SeManageVolumePrivilege  Perform volume maintenance tasks
-            SeImpersonatePrivilege  Impersonate a client after authentication
-           SeCreateGlobalPrivilege  Create global objects
-
-********************************************************************/
-
-
+ just for reference purposes (and I know the LUID is not guaranteed 
+ across reboots):
+
+            SeCreateTokenPrivilege  Create a token object ( 0x0, 0x2 )
+     SeAssignPrimaryTokenPrivilege  Replace a process level token ( 0x0, 0x3 )
+             SeLockMemoryPrivilege  Lock pages in memory ( 0x0, 0x4 )
+          SeIncreaseQuotaPrivilege  Increase quotas ( 0x0, 0x5 )
+         SeMachineAccountPrivilege  Add workstations to domain ( 0x0, 0x6 )
+                    SeTcbPrivilege  Act as part of the operating system ( 0x0, 0x7 )
+               SeSecurityPrivilege  Manage auditing and security log ( 0x0, 0x8 )
+          SeTakeOwnershipPrivilege  Take ownership of files or other objects ( 0x0, 0x9 )
+             SeLoadDriverPrivilege  Load and unload device drivers ( 0x0, 0xa )
+          SeSystemProfilePrivilege  Profile system performance ( 0x0, 0xb )
+             SeSystemtimePrivilege  Change the system time ( 0x0, 0xc )
+   SeProfileSingleProcessPrivilege  Profile single process ( 0x0, 0xd )
+   SeIncreaseBasePriorityPrivilege  Increase scheduling priority ( 0x0, 0xe )
+         SeCreatePagefilePrivilege  Create a pagefile ( 0x0, 0xf )
+        SeCreatePermanentPrivilege  Create permanent shared objects ( 0x0, 0x10 )
+                 SeBackupPrivilege  Back up files and directories ( 0x0, 0x11 )
+                SeRestorePrivilege  Restore files and directories ( 0x0, 0x12 )
+               SeShutdownPrivilege  Shut down the system ( 0x0, 0x13 )
+                  SeDebugPrivilege  Debug programs ( 0x0, 0x14 )
+                  SeAuditPrivilege  Generate security audits ( 0x0, 0x15 )
+      SeSystemEnvironmentPrivilege  Modify firmware environment values ( 0x0, 0x16 )
+           SeChangeNotifyPrivilege  Bypass traverse checking ( 0x0, 0x17 )
+         SeRemoteShutdownPrivilege  Force shutdown from a remote system ( 0x0, 0x18 )
+                 SeUndockPrivilege  Remove computer from docking station ( 0x0, 0x19 )
+              SeSyncAgentPrivilege  Synchronize directory service data ( 0x0, 0x1a )
+       SeEnableDelegationPrivilege  Enable computer and user accounts to be trusted for delegation ( 0x0, 0x1b )
+           SeManageVolumePrivilege  Perform volume maintenance tasks ( 0x0, 0x1c )
+            SeImpersonatePrivilege  Impersonate a client after authentication ( 0x0, 0x1d )
+           SeCreateGlobalPrivilege  Create global objects ( 0x0, 0x1e )
+
+ ********************************************************************/
+
+/* we have to define the LUID here due to a horrible check by printmig.exe
+   that requires the SeBackupPrivilege match what is in Windows.  So match
+   those that we implement and start Samba privileges at 0x1001 */
+   
 PRIVS privs[] = {
 #if 0	/* usrmgr will display these twice if you include them.  We don't 
 	   use them but we'll keep the bitmasks reserved in privileges.h anyways */
 	   
-	{SE_NETWORK_LOGON,		"SeNetworkLogonRight",			"Access this computer from network"},
-	{SE_INTERACTIVE_LOGON,		"SeInteractiveLogonRight",		"Log on locally"},
-	{SE_BATCH_LOGON,		"SeBatchLogonRight",			"Log on as a batch job"},
-	{SE_SERVICE_LOGON,		"SeServiceLogonRight",			"Log on as a service"},
+	{SE_NETWORK_LOGON,	"SeNetworkLogonRight",		"Access this computer from network", 	   { 0x0, 0x0 }},
+	{SE_INTERACTIVE_LOGON,	"SeInteractiveLogonRight",	"Log on locally", 			   { 0x0, 0x0 }},
+	{SE_BATCH_LOGON,	"SeBatchLogonRight",		"Log on as a batch job",		   { 0x0, 0x0 }},
+	{SE_SERVICE_LOGON,	"SeServiceLogonRight",		"Log on as a service",			   { 0x0, 0x0 }},
 #endif
-	{SE_MACHINE_ACCOUNT,		"SeMachineAccountPrivilege",		"Add machines to domain"},
-	{SE_PRINT_OPERATOR,		"SePrintOperatorPrivilege",		"Manage printers"},
-	{SE_ADD_USERS,			"SeAddUsersPrivilege",			"Add users and groups to the domain"},
-	{SE_REMOTE_SHUTDOWN,		"SeRemoteShutdownPrivilege",		"Force shutdown from a remote system"},
-	{SE_DISK_OPERATOR,		"SeDiskOperatorPrivilege",		"Manage disk shares"},
-        {SE_BACKUP,                     "SeBackupPrivilege",                    "Back up files and directories"},
-        {SE_RESTORE,                    "SeRestorePrivilege",                   "Restore files and directories"},
-	{SE_TAKE_OWNERSHIP,             "SeTakeOwnershipPrivilege",             "Take ownership of files or other objects"},
-
-	{SE_END,			"",					""}
+	{SE_MACHINE_ACCOUNT,	"SeMachineAccountPrivilege",	"Add machines to domain",		   { 0x0, 0x0006 }},
+	{SE_TAKE_OWNERSHIP,     "SeTakeOwnershipPrivilege",     "Take ownership of files or other objects",{ 0x0, 0x0009 }},
+        {SE_BACKUP,             "SeBackupPrivilege",            "Back up files and directories",	   { 0x0, 0x0011 }},
+        {SE_RESTORE,            "SeRestorePrivilege",           "Restore files and directories",	   { 0x0, 0x0012 }},
+	{SE_REMOTE_SHUTDOWN,	"SeRemoteShutdownPrivilege",	"Force shutdown from a remote system",	   { 0x0, 0x0018 }},
+	
+	{SE_PRINT_OPERATOR,	"SePrintOperatorPrivilege",	"Manage printers",			   { 0x0, 0x1001 }},
+	{SE_ADD_USERS,		"SeAddUsersPrivilege",		"Add users and groups to the domain",	   { 0x0, 0x1002 }},
+	{SE_DISK_OPERATOR,	"SeDiskOperatorPrivilege",	"Manage disk shares",			   { 0x0, 0x1003 }},
+
+	{SE_END, "", "", { 0x0, 0x0 }}
 };
 
 typedef struct {
@@ -109,7 +112,6 @@ typedef struct {
 	SID_LIST sids;
 } PRIV_SID_LIST;
 
-
 /***************************************************************************
  copy an SE_PRIV structure
 ****************************************************************************/
@@ -402,7 +404,7 @@ LUID_ATTR get_privilege_luid( SE_PRIV *mask )
 	for ( i=0; !se_priv_equal(&privs[i].se_priv, &se_priv_end); i++ ) {
 	
 		if ( se_priv_equal( &privs[i].se_priv, mask ) ) {
-			priv_luid.luid.low = GENERATE_LUID_LOW(i);
+			priv_luid.luid = privs[i].luid;
 			break;
 		}
 	}
@@ -746,17 +748,19 @@ BOOL user_has_any_privilege(NT_USER_TOKEN *token, const SE_PRIV *privilege)
 char* luid_to_privilege_name(const LUID *set)
 {
 	static fstring name;
-	int max = count_all_privileges();
+	int i;
 
 	if (set->high != 0)
 		return NULL;
 
-	if ( set->low > max )
-		return NULL;
-
-	fstrcpy( name, privs[set->low - 1].name );
+	for ( i=0; !se_priv_equal(&privs[i].se_priv, &se_priv_end); i++ ) {
+		if ( set->low == privs[i].luid.low ) {
+			fstrcpy( name, privs[set->low - 1].name );
+			return name;
+		}
+	}
 	
-	return name;
+	return NULL;
 }
 
 /*******************************************************************
@@ -792,7 +796,7 @@ BOOL se_priv_to_privilege_set( PRIVILEGE_SET *set, SE_PRIV *mask )
 		if ( !is_privilege_assigned(mask, &privs[i].se_priv) )
 			continue;
 		
-		luid.luid.low = GENERATE_LUID_LOW(i);
+		luid.luid = privs[i].luid;
 		
 		if ( !privilege_set_add( set, luid ) )
 			return False;