diff options
| author | Günther Deschner <gd@samba.org> | 2006-04-11 15:47:24 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:15:59 -0500 |
| commit | 655b04e4f8585a952afe226e602995ebbc7d1600 (patch) | |
| tree | cd525caa7f9927238ef254b35a1c4db01384d3a3 /source3/rpc_server | |
| parent | adc0a34cebfcd84b1886a8b1ddb8eecfd6fb1e1a (diff) | |
| download | samba-655b04e4f8585a952afe226e602995ebbc7d1600.tar.gz samba-655b04e4f8585a952afe226e602995ebbc7d1600.tar.bz2 samba-655b04e4f8585a952afe226e602995ebbc7d1600.zip | |
r15041: Adding rpc client calls to manipulate auditing policies on remote CIFS
servers. Also add a new "net rpc audit" tool. The lsa query infolevels
were taken from samb4 IDL, the lsa policy flags and categories are
partly documented on msdn. I need to cleanup the double
lsa_query_info_policy{2}{_new} calls next.
Guenther
(This used to be commit 0fed66926f4b72444abfc8ffb8c46cca8d0600aa)
Diffstat (limited to 'source3/rpc_server')
| -rw-r--r-- | source3/rpc_server/srv_lsa_nt.c | 53 |
1 files changed, 37 insertions, 16 deletions
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index 7fe42efefb..1f74f24296 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -62,7 +62,7 @@ static void free_lsa_info(void *ptr) Init dom_query ***************************************************************************/ -static void init_dom_query(DOM_QUERY *d_q, const char *dom_name, DOM_SID *dom_sid) +static void init_dom_query_3(DOM_QUERY_3 *d_q, const char *dom_name, DOM_SID *dom_sid) { d_q->buffer_dom_name = (dom_name != NULL) ? 1 : 0; /* domain buffer pointer */ d_q->buffer_dom_sid = (dom_sid != NULL) ? 1 : 0; /* domain sid pointer */ @@ -94,6 +94,15 @@ static void init_dom_query(DOM_QUERY *d_q, const char *dom_name, DOM_SID *dom_si } /*************************************************************************** +Init dom_query + ***************************************************************************/ + +static void init_dom_query_5(DOM_QUERY_5 *d_q, const char *dom_name, DOM_SID *dom_sid) +{ + return init_dom_query_3(d_q, dom_name, dom_sid); +} + +/*************************************************************************** init_dom_ref - adds a domain if it's not already in, returns the index. ***************************************************************************/ @@ -678,7 +687,7 @@ NTSTATUS _lsa_enum_trust_dom(pipes_struct *p, LSA_Q_ENUM_TRUST_DOM *q_u, NTSTATUS _lsa_query_info(pipes_struct *p, LSA_Q_QUERY_INFO *q_u, LSA_R_QUERY_INFO *r_u) { struct lsa_info *handle; - LSA_INFO_UNION *info = &r_u->dom; + LSA_INFO_CTR *ctr = &r_u->ctr; DOM_SID domain_sid; const char *name; DOM_SID *sid = NULL; @@ -691,19 +700,31 @@ NTSTATUS _lsa_query_info(pipes_struct *p, LSA_Q_QUERY_INFO *q_u, LSA_R_QUERY_INF switch (q_u->info_class) { case 0x02: { - unsigned int i; + + uint32 policy_def = LSA_AUDIT_POLICY_ALL; + /* check if the user have enough rights */ - if (!(handle->access & POLICY_VIEW_AUDIT_INFORMATION)) + if (!(handle->access & POLICY_VIEW_AUDIT_INFORMATION)) { + DEBUG(10,("_lsa_query_info: insufficient access rights\n")); return NT_STATUS_ACCESS_DENIED; + } /* fake info: We audit everything. ;) */ - info->id2.auditing_enabled = 1; - info->id2.count1 = 7; - info->id2.count2 = 7; - if ((info->id2.auditsettings = TALLOC_ARRAY(p->mem_ctx,uint32, 7)) == NULL) + ctr->info.id2.ptr = 1; + ctr->info.id2.auditing_enabled = True; + ctr->info.id2.count1 = ctr->info.id2.count2 = LSA_AUDIT_NUM_CATEGORIES; + + if ((ctr->info.id2.auditsettings = TALLOC_ZERO_ARRAY(p->mem_ctx, uint32, LSA_AUDIT_NUM_CATEGORIES)) == NULL) return NT_STATUS_NO_MEMORY; - for (i = 0; i < 7; i++) - info->id2.auditsettings[i] = 3; + + ctr->info.id2.auditsettings[LSA_AUDIT_CATEGORY_ACCOUNT_MANAGEMENT] = policy_def; + ctr->info.id2.auditsettings[LSA_AUDIT_CATEGORY_FILE_AND_OBJECT_ACCESS] = policy_def; + ctr->info.id2.auditsettings[LSA_AUDIT_CATEGORY_LOGON] = policy_def; + ctr->info.id2.auditsettings[LSA_AUDIT_CATEGORY_PROCCESS_TRACKING] = policy_def; + ctr->info.id2.auditsettings[LSA_AUDIT_CATEGORY_SECURITY_POLICY_CHANGES] = policy_def; + ctr->info.id2.auditsettings[LSA_AUDIT_CATEGORY_SYSTEM] = policy_def; + ctr->info.id2.auditsettings[LSA_AUDIT_CATEGORY_USE_OF_USER_RIGHTS] = policy_def; + break; } case 0x03: @@ -733,7 +754,7 @@ NTSTATUS _lsa_query_info(pipes_struct *p, LSA_Q_QUERY_INFO *q_u, LSA_R_QUERY_INF default: return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } - init_dom_query(&r_u->dom.id3, name, sid); + init_dom_query_3(&r_u->ctr.info.id3, name, sid); break; case 0x05: /* check if the user have enough rights */ @@ -743,7 +764,7 @@ NTSTATUS _lsa_query_info(pipes_struct *p, LSA_Q_QUERY_INFO *q_u, LSA_R_QUERY_INF /* Request PolicyAccountDomainInformation. */ name = get_global_sam_name(); sid = get_global_sam_sid(); - init_dom_query(&r_u->dom.id5, name, sid); + init_dom_query_5(&r_u->ctr.info.id5, name, sid); break; case 0x06: /* check if the user have enough rights */ @@ -756,14 +777,14 @@ NTSTATUS _lsa_query_info(pipes_struct *p, LSA_Q_QUERY_INFO *q_u, LSA_R_QUERY_INF * only a BDC is a backup controller * of the domain, it controls. */ - info->id6.server_role = 2; + ctr->info.id6.server_role = 2; break; default: /* * any other role is a primary * of the domain, it controls. */ - info->id6.server_role = 3; + ctr->info.id6.server_role = 3; break; } break; @@ -774,8 +795,8 @@ NTSTATUS _lsa_query_info(pipes_struct *p, LSA_Q_QUERY_INFO *q_u, LSA_R_QUERY_INF } if (NT_STATUS_IS_OK(r_u->status)) { - r_u->undoc_buffer = 0x22000000; /* bizarre */ - r_u->info_class = q_u->info_class; + r_u->dom_ptr = 0x22000000; /* bizarre */ + ctr->info_class = q_u->info_class; } return r_u->status; |