summaryrefslogtreecommitdiff
path: root/source3/rpc_server
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2005-01-13 18:20:37 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 10:53:51 -0500
commitd94d87472ca2f3875caa146424caa178ce20274f (patch)
treea4c6f78f7b22c649b7d9405aa27f64daf749c1fb /source3/rpc_server
parent94b88f8f26342b6ca4afecec459235c523355f6c (diff)
downloadsamba-d94d87472ca2f3875caa146424caa178ce20274f.tar.gz
samba-d94d87472ca2f3875caa146424caa178ce20274f.tar.bz2
samba-d94d87472ca2f3875caa146424caa178ce20274f.zip
r4724: Add support for Windows privileges in Samba 3.0
(based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c)
Diffstat (limited to 'source3/rpc_server')
-rw-r--r--source3/rpc_server/srv_lsa.c32
-rw-r--r--source3/rpc_server/srv_lsa_nt.c299
-rw-r--r--source3/rpc_server/srv_samr_nt.c44
3 files changed, 194 insertions, 181 deletions
diff --git a/source3/rpc_server/srv_lsa.c b/source3/rpc_server/srv_lsa.c
index 5d6c1551c9..63e74ec891 100644
--- a/source3/rpc_server/srv_lsa.c
+++ b/source3/rpc_server/srv_lsa.c
@@ -393,6 +393,37 @@ static BOOL api_lsa_unk_get_connuser(pipes_struct *p)
}
/***************************************************************************
+ api_lsa_create_user
+ ***************************************************************************/
+
+static BOOL api_lsa_create_account(pipes_struct *p)
+{
+ LSA_Q_CREATEACCOUNT q_u;
+ LSA_R_CREATEACCOUNT r_u;
+
+ prs_struct *data = &p->in_data.data;
+ prs_struct *rdata = &p->out_data.rdata;
+
+ ZERO_STRUCT(q_u);
+ ZERO_STRUCT(r_u);
+
+ if(!lsa_io_q_create_account("", &q_u, data, 0)) {
+ DEBUG(0,("api_lsa_create_account: failed to unmarshall LSA_Q_CREATEACCOUNT.\n"));
+ return False;
+ }
+
+ r_u.status = _lsa_create_account(p, &q_u, &r_u);
+
+ /* store the response in the SMB stream */
+ if(!lsa_io_r_create_account("", &r_u, rdata, 0)) {
+ DEBUG(0,("api_lsa_create_account: Failed to marshall LSA_R_CREATEACCOUNT.\n"));
+ return False;
+ }
+
+ return True;
+}
+
+/***************************************************************************
api_lsa_open_user
***************************************************************************/
@@ -659,6 +690,7 @@ static struct api_struct api_lsa_cmds[] =
{ "LSA_PRIV_GET_DISPNAME",LSA_PRIV_GET_DISPNAME,api_lsa_priv_get_dispname},
{ "LSA_ENUM_ACCOUNTS" , LSA_ENUM_ACCOUNTS , api_lsa_enum_accounts },
{ "LSA_UNK_GET_CONNUSER", LSA_UNK_GET_CONNUSER, api_lsa_unk_get_connuser },
+ { "LSA_CREATEACCOUNT" , LSA_CREATEACCOUNT , api_lsa_create_account },
{ "LSA_OPENACCOUNT" , LSA_OPENACCOUNT , api_lsa_open_account },
{ "LSA_ENUMPRIVSACCOUNT", LSA_ENUMPRIVSACCOUNT, api_lsa_enum_privsaccount},
{ "LSA_GETSYSTEMACCOUNT", LSA_GETSYSTEMACCOUNT, api_lsa_getsystemaccount },
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index fcd574971f..89633935a2 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -1,4 +1,4 @@
-/*
+/*
* Unix SMB/CIFS implementation.
* RPC Pipe client / server routines
* Copyright (C) Andrew Tridgell 1992-1997,
@@ -7,6 +7,7 @@
* Copyright (C) Jeremy Allison 2001,
* Copyright (C) Rafal Szczesniak 2002,
* Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
+ * Copyright (C) Simo Sorce 2003.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -411,9 +412,12 @@ NTSTATUS _lsa_open_policy2(pipes_struct *p, LSA_Q_OPEN_POL2 *q_u, LSA_R_OPEN_POL
DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
acc_granted, des_access));
DEBUGADD(4,("but overwritten by euid == 0\n"));
- acc_granted = des_access;
}
+ /* This is needed for lsa_open_account and rpcclient .... :-) */
+
+ if (geteuid() == 0)
+ acc_granted = POLICY_ALL_ACCESS;
/* associate the domain SID with the (unique) handle. */
if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
@@ -758,49 +762,51 @@ NTSTATUS _lsa_enum_privs(pipes_struct *p, LSA_Q_ENUM_PRIVS *q_u, LSA_R_ENUM_PRIV
{
struct lsa_info *handle;
uint32 i;
+ uint32 enum_context = q_u->enum_context;
+ int num_privs = count_all_privileges();
+ LSA_PRIV_ENTRY *entries = NULL;
- uint32 enum_context=q_u->enum_context;
- LSA_PRIV_ENTRY *entry;
- LSA_PRIV_ENTRY *entries=NULL;
+ /* remember that the enum_context starts at 0 and not 1 */
- if (enum_context >= PRIV_ALL_INDEX)
+ if ( enum_context >= num_privs )
return NT_STATUS_NO_MORE_ENTRIES;
-
- entries = TALLOC_ZERO_ARRAY(p->mem_ctx, LSA_PRIV_ENTRY, PRIV_ALL_INDEX);
- if (entries==NULL)
+
+ DEBUG(10,("_lsa_enum_privs: enum_context:%d total entries:%d\n",
+ enum_context, num_privs));
+
+ if ( !(entries = TALLOC_ZERO_ARRAY(p->mem_ctx, LSA_PRIV_ENTRY, num_privs + 1)))
return NT_STATUS_NO_MEMORY;
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle))
return NT_STATUS_INVALID_HANDLE;
- /* check if the user have enough rights */
+ /* check if the user have enough rights
+ I don't know if it's the right one. not documented. */
- /*
- * I don't know if it's the right one. not documented.
- */
if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
return NT_STATUS_ACCESS_DENIED;
- entry = entries;
-
- DEBUG(10,("_lsa_enum_privs: enum_context:%d total entries:%d\n", enum_context, PRIV_ALL_INDEX));
-
- for (i = 0; i < PRIV_ALL_INDEX; i++, entry++) {
- if( i<enum_context) {
- init_unistr2(&entry->name, NULL, UNI_FLAGS_NONE);
- init_uni_hdr(&entry->hdr_name, &entry->name);
- entry->luid_low = 0;
- entry->luid_high = 0;
+ if ( !(entries = TALLOC_ZERO_ARRAY(p->mem_ctx, LSA_PRIV_ENTRY, num_privs )) )
+ return NT_STATUS_NO_MEMORY;
+
+
+ for (i = 0; i < num_privs; i++) {
+ if( i < enum_context) {
+ init_unistr2(&entries[i].name, NULL, UNI_FLAGS_NONE);
+ init_uni_hdr(&entries[i].hdr_name, &entries[i].name);
+ entries[i].luid_low = 0;
+ entries[i].luid_high = 0;
} else {
- init_unistr2(&entry->name, privs[i+1].priv, UNI_FLAGS_NONE);
- init_uni_hdr(&entry->hdr_name, &entry->name);
- entry->luid_low = privs[i+1].se_priv;
- entry->luid_high = 0;
+ init_unistr2(&entries[i].name, privs[i].name, UNI_FLAGS_NONE);
+ init_uni_hdr(&entries[i].hdr_name, &entries[i].name);
+ entries[i].luid_low = privs[i].se_priv;
+ entries[i].luid_high = 0;
}
}
- enum_context = PRIV_ALL_INDEX;
- init_lsa_r_enum_privs(r_u, enum_context, PRIV_ALL_INDEX, entries);
+ enum_context = num_privs;
+
+ init_lsa_r_enum_privs(r_u, enum_context, num_privs, entries);
return NT_STATUS_OK;
}
@@ -813,7 +819,7 @@ NTSTATUS _lsa_priv_get_dispname(pipes_struct *p, LSA_Q_PRIV_GET_DISPNAME *q_u, L
{
struct lsa_info *handle;
fstring name_asc;
- int i=1;
+ int i = 0;
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle))
return NT_STATUS_INVALID_HANDLE;
@@ -828,22 +834,22 @@ NTSTATUS _lsa_priv_get_dispname(pipes_struct *p, LSA_Q_PRIV_GET_DISPNAME *q_u, L
unistr2_to_ascii(name_asc, &q_u->name, sizeof(name_asc));
- DEBUG(10,("_lsa_priv_get_dispname: %s", name_asc));
+ DEBUG(10,("_lsa_priv_get_dispname: %s\n", name_asc));
- while (privs[i].se_priv!=SE_PRIV_ALL && strcmp(name_asc, privs[i].priv))
+ while (privs[i].se_priv != SE_END && !strequal(name_asc, privs[i].name))
i++;
- if (privs[i].se_priv!=SE_PRIV_ALL) {
+ if (privs[i].se_priv != SE_END) {
DEBUG(10,(": %s\n", privs[i].description));
init_unistr2(&r_u->desc, privs[i].description, UNI_FLAGS_NONE);
init_uni_hdr(&r_u->hdr_desc, &r_u->desc);
- r_u->ptr_info=0xdeadbeef;
- r_u->lang_id=q_u->lang_id;
+ r_u->ptr_info = 0xdeadbeef;
+ r_u->lang_id = q_u->lang_id;
return NT_STATUS_OK;
} else {
DEBUG(10,("_lsa_priv_get_dispname: doesn't exist\n"));
- r_u->ptr_info=0;
+ r_u->ptr_info = 0;
return NT_STATUS_NO_SUCH_PRIVILEGE;
}
}
@@ -855,32 +861,26 @@ _lsa_enum_accounts.
NTSTATUS _lsa_enum_accounts(pipes_struct *p, LSA_Q_ENUM_ACCOUNTS *q_u, LSA_R_ENUM_ACCOUNTS *r_u)
{
struct lsa_info *handle;
- GROUP_MAP *map=NULL;
- int num_entries=0;
+ DOM_SID *sid_list;
+ int i, j, num_entries;
LSA_SID_ENUM *sids=&r_u->sids;
- int i=0,j=0;
- BOOL ret;
+ NTSTATUS ret;
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle))
return NT_STATUS_INVALID_HANDLE;
- /* check if the user have enough rights */
-
- /*
- * I don't know if it's the right one. not documented.
- */
if (!(handle->access & POLICY_VIEW_LOCAL_INFORMATION))
return NT_STATUS_ACCESS_DENIED;
- /* get the list of mapped groups (domain, local, builtin) */
- become_root();
- ret = pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED);
- unbecome_root();
- if( !ret ) {
- DEBUG(3,("_lsa_enum_accounts: enumeration of groups failed!\n"));
- return NT_STATUS_OK;
+ sid_list = NULL;
+ num_entries = 0;
+
+ /* The only way we can currently find out all the SIDs that have been
+ privileged is to scan all privileges */
+
+ if (!NT_STATUS_IS_OK(ret = privilege_enumerate_accounts(&sid_list, &num_entries))) {
+ return ret;
}
-
if (q_u->enum_context >= num_entries)
return NT_STATUS_NO_MORE_ENTRIES;
@@ -889,19 +889,18 @@ NTSTATUS _lsa_enum_accounts(pipes_struct *p, LSA_Q_ENUM_ACCOUNTS *q_u, LSA_R_ENU
sids->sid = TALLOC_ZERO_ARRAY(p->mem_ctx, DOM_SID2, num_entries-q_u->enum_context);
if (sids->ptr_sid==NULL || sids->sid==NULL) {
- SAFE_FREE(map);
+ SAFE_FREE(sid_list);
return NT_STATUS_NO_MEMORY;
}
- for (i=q_u->enum_context, j=0; i<num_entries; i++) {
- init_dom_sid2( &(*sids).sid[j], &map[i].sid);
- (*sids).ptr_sid[j]=1;
- j++;
+ for (i = q_u->enum_context, j = 0; i < num_entries; i++, j++) {
+ init_dom_sid2(&(*sids).sid[j], &sid_list[i]);
+ (*sids).ptr_sid[j] = 1;
}
- SAFE_FREE(map);
+ SAFE_FREE(sid_list);
- init_lsa_r_enum_accounts(r_u, j);
+ init_lsa_r_enum_accounts(r_u, num_entries);
return NT_STATUS_OK;
}
@@ -934,15 +933,51 @@ NTSTATUS _lsa_unk_get_connuser(pipes_struct *p, LSA_Q_UNK_GET_CONNUSER *q_u, LSA
}
/***************************************************************************
-
+ Lsa Create Account
***************************************************************************/
-NTSTATUS _lsa_open_account(pipes_struct *p, LSA_Q_OPENACCOUNT *q_u, LSA_R_OPENACCOUNT *r_u)
+NTSTATUS _lsa_create_account(pipes_struct *p, LSA_Q_CREATEACCOUNT *q_u, LSA_R_CREATEACCOUNT *r_u)
{
struct lsa_info *handle;
struct lsa_info *info;
- r_u->status = NT_STATUS_OK;
+ /* find the connection policy handle. */
+ if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle))
+ return NT_STATUS_INVALID_HANDLE;
+
+ /* check if the user have enough rights */
+
+ /*
+ * I don't know if it's the right one. not documented.
+ * but guessed with rpcclient.
+ */
+ if (!(handle->access & POLICY_GET_PRIVATE_INFORMATION))
+ return NT_STATUS_ACCESS_DENIED;
+
+ /* associate the user/group SID with the (unique) handle. */
+ if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
+ return NT_STATUS_NO_MEMORY;
+
+ ZERO_STRUCTP(info);
+ info->sid = q_u->sid.sid;
+ info->access = q_u->access;
+
+ /* get a (unique) handle. open a policy on it. */
+ if (!create_policy_hnd(p, &r_u->pol, free_lsa_info, (void *)info))
+ return NT_STATUS_OBJECT_NAME_NOT_FOUND;
+
+ return privilege_create_account( &info->sid );
+}
+
+
+/***************************************************************************
+ Lsa Open Account
+ ***************************************************************************/
+
+NTSTATUS _lsa_open_account(pipes_struct *p, LSA_Q_OPENACCOUNT *q_u, LSA_R_OPENACCOUNT *r_u)
+{
+ struct lsa_info *handle;
+ struct lsa_info *info;
/* find the connection policy handle. */
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle))
@@ -957,6 +992,11 @@ NTSTATUS _lsa_open_account(pipes_struct *p, LSA_Q_OPENACCOUNT *q_u, LSA_R_OPENAC
if (!(handle->access & POLICY_GET_PRIVATE_INFORMATION))
return NT_STATUS_ACCESS_DENIED;
+ /* TODO: Fis the parsing routine before reenabling this check! */
+ #if 0
+ if (!lookup_sid(&handle->sid, dom_name, name, &type))
+ return NT_STATUS_ACCESS_DENIED;
+ #endif
/* associate the user/group SID with the (unique) handle. */
if ((info = SMB_MALLOC_P(struct lsa_info)) == NULL)
return NT_STATUS_NO_MEMORY;
@@ -969,7 +1009,7 @@ NTSTATUS _lsa_open_account(pipes_struct *p, LSA_Q_OPENACCOUNT *q_u, LSA_R_OPENAC
if (!create_policy_hnd(p, &r_u->pol, free_lsa_info, (void *)info))
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
- return r_u->status;
+ return NT_STATUS_OK;
}
/***************************************************************************
@@ -979,44 +1019,24 @@ NTSTATUS _lsa_open_account(pipes_struct *p, LSA_Q_OPENACCOUNT *q_u, LSA_R_OPENAC
NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, prs_struct *ps, LSA_Q_ENUMPRIVSACCOUNT *q_u, LSA_R_ENUMPRIVSACCOUNT *r_u)
{
struct lsa_info *info=NULL;
- GROUP_MAP map;
- LUID_ATTR *set=NULL;
-
- r_u->status = NT_STATUS_OK;
+ PRIVILEGE_SET priv;
/* find the connection policy handle. */
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
return NT_STATUS_INVALID_HANDLE;
- if (!pdb_getgrsid(&map, info->sid))
- return NT_STATUS_NO_SUCH_GROUP;
+ privilege_set_init( &priv );
-#if 0 /* privileges currently not implemented! */
- DEBUG(10,("_lsa_enum_privsaccount: %d privileges\n", map.priv_set->count));
- if (map.priv_set->count!=0) {
-
- set=(LUID_ATTR *)talloc(map.priv_set->mem_ctx, map.priv_set.count*sizeof(LUID_ATTR));
- if (set == NULL) {
- destroy_privilege(&map.priv_set);
- return NT_STATUS_NO_MEMORY;
- }
+ get_privileges_for_sids( &priv, &info->sid, 1 );
- for (i = 0; i < map.priv_set.count; i++) {
- set[i].luid.low = map.priv_set->set[i].luid.low;
- set[i].luid.high = map.priv_set->set[i].luid.high;
- set[i].attr = map.priv_set->set[i].attr;
- DEBUG(10,("_lsa_enum_privsaccount: priv %d: %d:%d:%d\n", i,
- set[i].luid.high, set[i].luid.low, set[i].attr));
- }
- }
+ DEBUG(10,("_lsa_enum_privsaccount: %s has %d privileges\n",
+ sid_string_static(&info->sid), priv.count));
- init_lsa_r_enum_privsaccount(ps->mem_ctx, r_u, set, map.priv_set->count, 0);
- destroy_privilege(&map.priv_set);
-#endif
+ init_lsa_r_enum_privsaccount(ps->mem_ctx, r_u, priv.set, priv.count, 0);
- init_lsa_r_enum_privsaccount(ps->mem_ctx, r_u, set, 0, 0);
+ privilege_set_free( &priv );
- return r_u->status;
+ return NT_STATUS_OK;
}
/***************************************************************************
@@ -1026,15 +1046,16 @@ NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, prs_struct *ps, LSA_Q_ENUMPRIVS
NTSTATUS _lsa_getsystemaccount(pipes_struct *p, LSA_Q_GETSYSTEMACCOUNT *q_u, LSA_R_GETSYSTEMACCOUNT *r_u)
{
struct lsa_info *info=NULL;
- GROUP_MAP map;
- r_u->status = NT_STATUS_OK;
+ fstring name, dom_name;
+ enum SID_NAME_USE type;
/* find the connection policy handle. */
+
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
return NT_STATUS_INVALID_HANDLE;
- if (!pdb_getgrsid(&map, info->sid))
- return NT_STATUS_NO_SUCH_GROUP;
+ if (!lookup_sid(&info->sid, dom_name, name, &type))
+ return NT_STATUS_ACCESS_DENIED;
/*
0x01 -> Log on locally
@@ -1047,7 +1068,7 @@ NTSTATUS _lsa_getsystemaccount(pipes_struct *p, LSA_Q_GETSYSTEMACCOUNT *q_u, LSA
r_u->access = PR_LOG_ON_LOCALLY | PR_ACCESS_FROM_NETWORK;
- return r_u->status;
+ return NT_STATUS_OK;
}
/***************************************************************************
@@ -1079,44 +1100,31 @@ NTSTATUS _lsa_setsystemaccount(pipes_struct *p, LSA_Q_SETSYSTEMACCOUNT *q_u, LSA
NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u)
{
-#if 0
struct lsa_info *info = NULL;
- GROUP_MAP map;
int i = 0;
- LUID_ATTR *luid_attr = NULL;
+ uint32 mask;
PRIVILEGE_SET *set = NULL;
-#endif
-
- r_u->status = NT_STATUS_OK;
-#if 0 /* privileges are not implemented */
/* find the connection policy handle. */
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
return NT_STATUS_INVALID_HANDLE;
- if (!pdb_getgrsid(&map, info->sid))
- return NT_STATUS_NO_SUCH_GROUP;
-
set = &q_u->set;
for (i = 0; i < set->count; i++) {
- luid_attr = &set->set[i];
-
- /* check if the privilege is already there */
- if (check_priv_in_privilege(map.priv_set, *luid_attr)){
- destroy_privilege(&map.priv_set);
+
+ mask = luid_to_privilege_mask( &(set->set[i].luid) );
+
+ if ( mask != SE_END ) {
+ if ( !grant_privilege( &info->sid, mask ) ) {
+ DEBUG(3,("_lsa_addprivs: grant_privilege( %s, 0x%x) failed!\n",
+ sid_string_static(&info->sid), mask ));
+ return NT_STATUS_NO_SUCH_PRIVILEGE;
+ }
}
-
- add_privilege(map.priv_set, *luid_attr);
}
- if(!pdb_update_group_mapping_entry(&map))
- return NT_STATUS_NO_SUCH_GROUP;
-
- destroy_privilege(&map.priv_set);
-
-#endif
- return r_u->status;
+ return NT_STATUS_OK;
}
/***************************************************************************
@@ -1125,57 +1133,30 @@ NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u
NTSTATUS _lsa_removeprivs(pipes_struct *p, LSA_Q_REMOVEPRIVS *q_u, LSA_R_REMOVEPRIVS *r_u)
{
-#if 0
struct lsa_info *info = NULL;
- GROUP_MAP map;
- int i=0;
- LUID_ATTR *luid_attr = NULL;
+ int i = 0;
+ uint32 mask;
PRIVILEGE_SET *set = NULL;
-#endif
-
- r_u->status = NT_STATUS_OK;
-#if 0 /* privileges are not implemented */
/* find the connection policy handle. */
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
return NT_STATUS_INVALID_HANDLE;
- if (!pdb_getgrsid(&map, info->sid))
- return NT_STATUS_NO_SUCH_GROUP;
-
- if (q_u->allrights != 0) {
- /* log it and return, until I see one myself don't do anything */
- DEBUG(5,("_lsa_removeprivs: trying to remove all privileges ?\n"));
- return NT_STATUS_OK;
- }
-
- if (q_u->ptr == 0) {
- /* log it and return, until I see one myself don't do anything */
- DEBUG(5,("_lsa_removeprivs: no privileges to remove ?\n"));
- return NT_STATUS_OK;
- }
-
set = &q_u->set;
for (i = 0; i < set->count; i++) {
- luid_attr = &set->set[i];
-
- /* if we don't have the privilege, we're trying to remove, give up */
- /* what else can we do ??? JFM. */
- if (!check_priv_in_privilege(map.priv_set, *luid_attr)){
- destroy_privilege(&map.priv_set);
- return NT_STATUS_NO_SUCH_PRIVILEGE;
+ mask = luid_to_privilege_mask( &(set->set[i].luid) );
+
+ if ( mask != SE_END ) {
+ if ( !revoke_privilege( &info->sid, mask ) ) {
+ DEBUG(3,("_lsa_removeprivs: revoke_privilege( %s, 0x%x) failed!\n",
+ sid_string_static(&info->sid), mask ));
+ return NT_STATUS_NO_SUCH_PRIVILEGE;
+ }
}
-
- remove_privilege(map.priv_set, *luid_attr);
}
- if(!pdb_update_group_mapping_entry(&map))
- return NT_STATUS_NO_SUCH_GROUP;
-
- destroy_privilege(&map.priv_set);
-#endif
- return r_u->status;
+ return NT_STATUS_OK;
}
/***************************************************************************
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index da1c386fd2..271553f4b2 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -2215,7 +2215,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA
uint32 new_rid = 0;
/* check this, when giving away 'add computer to domain' privs */
uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
- BOOL is_domain_admin = False;
+ BOOL can_add_machines = False;
/* Get the domain SID stored in the domain policy */
if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted))
@@ -2242,10 +2242,10 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA
/* check to see if we are a domain admin */
- is_domain_admin = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS );
+ can_add_machines = user_has_privilege( p->pipe_user.nt_user_token, SE_MACHINE_ACCOUNT );
DEBUG(5, ("_samr_create_user: %s is%s a member of the Domain Admins group\n",
- p->pipe_user_name, is_domain_admin ? "" : " not"));
+ p->pipe_user_name, can_add_machines ? "" : " not"));
pdb_init_sam(&sam_pass);
@@ -2280,9 +2280,9 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA
pw = Get_Pwnam(account);
- /* ================ BEGIN DOMAIN ADMIN BLOCK ================ */
+ /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
- if ( is_domain_admin )
+ if ( can_add_machines )
become_root();
if ( !pw ) {
@@ -2317,7 +2317,7 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA
/* implicit call to getpwnam() next. we have a valid SID coming out of this call */
if ( !NT_STATUS_IS_OK(nt_status = pdb_init_sam_new(&sam_pass, account, new_rid)) ) {
- if ( is_domain_admin )
+ if ( can_add_machines )
unbecome_root();
return nt_status;
}
@@ -2326,10 +2326,10 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA
ret = pdb_add_sam_account(sam_pass);
- if ( is_domain_admin )
+ if ( can_add_machines )
unbecome_root();
- /* ================ END DOMAIN ADMIN BLOCK ================ */
+ /* ================ END SeMachineAccountPrivilege BLOCK ================ */
if ( !ret ) {
pdb_free_sam(&sam_pass);
@@ -3033,7 +3033,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE
SAM_USERINFO_CTR *ctr = q_u->ctr;
uint32 acc_granted;
uint32 acc_required;
- BOOL is_domain_admin;
+ BOOL can_add_machines;
DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__));
@@ -3067,14 +3067,14 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE
/* check to see if we are a domain admin */
- is_domain_admin = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS );
+ can_add_machines = user_has_privilege( p->pipe_user.nt_user_token, SE_MACHINE_ACCOUNT );
DEBUG(5, ("_samr_create_user: %s is%s a member of the Domain Admins group\n",
- p->pipe_user_name, is_domain_admin ? "" : " not"));
+ p->pipe_user_name, can_add_machines ? "" : " not"));
- /* ================ BEGIN DOMAIN ADMIN BLOCK ================ */
+ /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
- if ( is_domain_admin )
+ if ( can_add_machines )
become_root();
/* ok! user info levels (lots: see MSDEV help), off we go... */
@@ -3138,10 +3138,10 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE
}
- if ( is_domain_admin )
+ if ( can_add_machines )
unbecome_root();
- /* ================ END DOMAIN ADMIN BLOCK ================ */
+ /* ================ END SeMachineAccountPrivilege BLOCK ================ */
return r_u->status;
}
@@ -3158,7 +3158,7 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_
uint16 switch_value = q_u->switch_value;
uint32 acc_granted;
uint32 acc_required;
- BOOL is_domain_admin;
+ BOOL can_add_machines;
DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__));
@@ -3184,14 +3184,14 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_
/* check to see if we are a domain admin */
- is_domain_admin = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS );
+ can_add_machines = user_has_privilege( p->pipe_user.nt_user_token, SE_MACHINE_ACCOUNT );
DEBUG(5, ("_samr_create_user: %s is%s a member of the Domain Admins group\n",
- p->pipe_user_name, is_domain_admin ? "" : " not"));
+ p->pipe_user_name, can_add_machines ? "" : " not"));
- /* ================ BEGIN DOMAIN ADMIN BLOCK ================ */
+ /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
- if ( is_domain_admin )
+ if ( can_add_machines )
become_root();
/* ok! user info levels (lots: see MSDEV help), off we go... */
@@ -3218,10 +3218,10 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_
r_u->status = NT_STATUS_INVALID_INFO_CLASS;
}
- if ( is_domain_admin )
+ if ( can_add_machines )
unbecome_root();
- /* ================ END DOMAIN ADMIN BLOCK ================ */
+ /* ================ END SeMachineAccountPrivilege BLOCK ================ */
return r_u->status;
}