diff options
| author | Gerald Carter <jerry@samba.org> | 2005-01-13 18:20:37 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 10:53:51 -0500 |
| commit | d94d87472ca2f3875caa146424caa178ce20274f (patch) | |
| tree | a4c6f78f7b22c649b7d9405aa27f64daf749c1fb /source3/rpc_server/srv_samr_nt.c | |
| parent | 94b88f8f26342b6ca4afecec459235c523355f6c (diff) | |
| download | samba-d94d87472ca2f3875caa146424caa178ce20274f.tar.gz samba-d94d87472ca2f3875caa146424caa178ce20274f.tar.bz2 samba-d94d87472ca2f3875caa146424caa178ce20274f.zip | |
r4724: Add support for Windows privileges in Samba 3.0
(based on Simo's code in trunk). Rewritten with the
following changes:
* privilege set is based on a 32-bit mask instead of strings
(plans are to extend this to a 64 or 128-bit mask before
the next 3.0.11preX release).
* Remove the privilege code from the passdb API
(replication to come later)
* Only support the minimum amount of privileges that make
sense.
* Rewrite the domain join checks to use the SeMachineAccountPrivilege
instead of the 'is a member of "Domain Admins"?' check that started
all this.
Still todo:
* Utilize the SePrintOperatorPrivilege in addition to the 'printer admin'
parameter
* Utilize the SeAddUserPrivilege for adding users and groups
* Fix some of the hard coded _lsa_*() calls
* Start work on enough of SAM replication to get privileges from one
Samba DC to another.
* Come up with some management tool for manipultaing privileges
instead of user manager since it is buggy when run on a 2k client
(haven't tried xp). Works ok on NT4.
(This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
Diffstat (limited to 'source3/rpc_server/srv_samr_nt.c')
| -rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 44 |
1 files changed, 22 insertions, 22 deletions
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index da1c386fd2..271553f4b2 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2215,7 +2215,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA uint32 new_rid = 0; /* check this, when giving away 'add computer to domain' privs */ uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS; - BOOL is_domain_admin = False; + BOOL can_add_machines = False; /* Get the domain SID stored in the domain policy */ if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted)) @@ -2242,10 +2242,10 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA /* check to see if we are a domain admin */ - is_domain_admin = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); + can_add_machines = user_has_privilege( p->pipe_user.nt_user_token, SE_MACHINE_ACCOUNT ); DEBUG(5, ("_samr_create_user: %s is%s a member of the Domain Admins group\n", - p->pipe_user_name, is_domain_admin ? "" : " not")); + p->pipe_user_name, can_add_machines ? "" : " not")); pdb_init_sam(&sam_pass); @@ -2280,9 +2280,9 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA pw = Get_Pwnam(account); - /* ================ BEGIN DOMAIN ADMIN BLOCK ================ */ + /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */ - if ( is_domain_admin ) + if ( can_add_machines ) become_root(); if ( !pw ) { @@ -2317,7 +2317,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA /* implicit call to getpwnam() next. we have a valid SID coming out of this call */ if ( !NT_STATUS_IS_OK(nt_status = pdb_init_sam_new(&sam_pass, account, new_rid)) ) { - if ( is_domain_admin ) + if ( can_add_machines ) unbecome_root(); return nt_status; } @@ -2326,10 +2326,10 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA ret = pdb_add_sam_account(sam_pass); - if ( is_domain_admin ) + if ( can_add_machines ) unbecome_root(); - /* ================ END DOMAIN ADMIN BLOCK ================ */ + /* ================ END SeMachineAccountPrivilege BLOCK ================ */ if ( !ret ) { pdb_free_sam(&sam_pass); @@ -3033,7 +3033,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE SAM_USERINFO_CTR *ctr = q_u->ctr; uint32 acc_granted; uint32 acc_required; - BOOL is_domain_admin; + BOOL can_add_machines; DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__)); @@ -3067,14 +3067,14 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE /* check to see if we are a domain admin */ - is_domain_admin = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); + can_add_machines = user_has_privilege( p->pipe_user.nt_user_token, SE_MACHINE_ACCOUNT ); DEBUG(5, ("_samr_create_user: %s is%s a member of the Domain Admins group\n", - p->pipe_user_name, is_domain_admin ? "" : " not")); + p->pipe_user_name, can_add_machines ? "" : " not")); - /* ================ BEGIN DOMAIN ADMIN BLOCK ================ */ + /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */ - if ( is_domain_admin ) + if ( can_add_machines ) become_root(); /* ok! user info levels (lots: see MSDEV help), off we go... */ @@ -3138,10 +3138,10 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE } - if ( is_domain_admin ) + if ( can_add_machines ) unbecome_root(); - /* ================ END DOMAIN ADMIN BLOCK ================ */ + /* ================ END SeMachineAccountPrivilege BLOCK ================ */ return r_u->status; } @@ -3158,7 +3158,7 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ uint16 switch_value = q_u->switch_value; uint32 acc_granted; uint32 acc_required; - BOOL is_domain_admin; + BOOL can_add_machines; DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__)); @@ -3184,14 +3184,14 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ /* check to see if we are a domain admin */ - is_domain_admin = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); + can_add_machines = user_has_privilege( p->pipe_user.nt_user_token, SE_MACHINE_ACCOUNT ); DEBUG(5, ("_samr_create_user: %s is%s a member of the Domain Admins group\n", - p->pipe_user_name, is_domain_admin ? "" : " not")); + p->pipe_user_name, can_add_machines ? "" : " not")); - /* ================ BEGIN DOMAIN ADMIN BLOCK ================ */ + /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */ - if ( is_domain_admin ) + if ( can_add_machines ) become_root(); /* ok! user info levels (lots: see MSDEV help), off we go... */ @@ -3218,10 +3218,10 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_ r_u->status = NT_STATUS_INVALID_INFO_CLASS; } - if ( is_domain_admin ) + if ( can_add_machines ) unbecome_root(); - /* ================ END DOMAIN ADMIN BLOCK ================ */ + /* ================ END SeMachineAccountPrivilege BLOCK ================ */ return r_u->status; } |