diff options
author | Gerald Carter <jerry@samba.org> | 2005-03-10 18:50:47 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 10:55:57 -0500 |
commit | 66df8431ec092c4e629fc07e8e5a242ff3821b2d (patch) | |
tree | 17d58c731f37eaf257e194e38d04dbe299d29551 /source3 | |
parent | 3e4bc25f44c9456cab00b4919b2ead22d5ea91f7 (diff) | |
download | samba-66df8431ec092c4e629fc07e8e5a242ff3821b2d.tar.gz samba-66df8431ec092c4e629fc07e8e5a242ff3821b2d.tar.bz2 samba-66df8431ec092c4e629fc07e8e5a242ff3821b2d.zip |
r5726: merge LsaLookupPrivValue() code from trunk
(This used to be commit 277203b5356af58ce62eb4eec0db2eccadeeffd6)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/include/privileges.h | 2 | ||||
-rw-r--r-- | source3/include/rpc_lsa.h | 19 | ||||
-rw-r--r-- | source3/lib/privileges.c | 116 | ||||
-rw-r--r-- | source3/rpc_client/cli_lsarpc.c | 12 | ||||
-rw-r--r-- | source3/rpc_parse/parse_lsa.c | 43 | ||||
-rw-r--r-- | source3/rpc_server/srv_lsa.c | 40 | ||||
-rw-r--r-- | source3/rpc_server/srv_lsa_nt.c | 44 | ||||
-rw-r--r-- | source3/rpcclient/cmd_lsarpc.c | 12 |
8 files changed, 187 insertions, 101 deletions
diff --git a/source3/include/privileges.h b/source3/include/privileges.h index 5266e46e3a..c7a9b0560d 100644 --- a/source3/include/privileges.h +++ b/source3/include/privileges.h @@ -6,7 +6,7 @@ Copyright (C) Luke Kenneth Casson Leighton 1996-1997 Copyright (C) Paul Ashton 1997 Copyright (C) Simo Sorce 2003 - Copyright (C) Gerald (Jerry) Carter 2004 + Copyright (C) Gerald (Jerry) Carter 2005 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/source3/include/rpc_lsa.h b/source3/include/rpc_lsa.h index 01add64727..a0d78280c2 100644 --- a/source3/include/rpc_lsa.h +++ b/source3/include/rpc_lsa.h @@ -698,20 +698,20 @@ typedef struct lsa_r_setsystemaccount NTSTATUS status; } LSA_R_SETSYSTEMACCOUNT; +typedef struct { + UNIHDR hdr; + UNISTR2 unistring; +} LSA_STRING; -typedef struct lsa_q_lookupprivvalue -{ +typedef struct { POLICY_HND pol; /* policy handle */ - UNIHDR hdr_right; - UNISTR2 uni2_right; -} LSA_Q_LOOKUPPRIVVALUE; + LSA_STRING privname; +} LSA_Q_LOOKUP_PRIV_VALUE; -typedef struct lsa_r_lookupprivvalue -{ +typedef struct { LUID luid; NTSTATUS status; -} LSA_R_LOOKUPPRIVVALUE; - +} LSA_R_LOOKUP_PRIV_VALUE; typedef struct lsa_q_addprivs { @@ -740,5 +740,4 @@ typedef struct lsa_r_removeprivs NTSTATUS status; } LSA_R_REMOVEPRIVS; - #endif /* _RPC_LSA_H */ diff --git a/source3/lib/privileges.c b/source3/lib/privileges.c index 5a5afa4d72..8b5348e1f2 100644 --- a/source3/lib/privileges.c +++ b/source3/lib/privileges.c @@ -3,7 +3,7 @@ Privileges handling functions Copyright (C) Jean François Micouleau 1998-2001 Copyright (C) Simo Sorce 2002-2003 - Copyright (C) Gerald (Jerry) Carter 2004 + Copyright (C) Gerald (Jerry) Carter 2005 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -40,6 +40,43 @@ const SE_PRIV se_add_users = SE_ADD_USERS; const SE_PRIV se_disk_operators = SE_DISK_OPERATOR; const SE_PRIV se_remote_shutdown = SE_REMOTE_SHUTDOWN; +/******************************************************************** + This is a list of privileges reported by a WIndows 2000 SP4 AD DC + just for reference purposes: + + SeCreateTokenPrivilege Create a token object + SeAssignPrimaryTokenPrivilege Replace a process level token + SeLockMemoryPrivilege Lock pages in memory + SeIncreaseQuotaPrivilege Increase quotas + SeMachineAccountPrivilege Add workstations to domain + SeTcbPrivilege Act as part of the operating system + SeSecurityPrivilege Manage auditing and security log + SeTakeOwnershipPrivilege Take ownership of files or other objects + SeLoadDriverPrivilege Load and unload device drivers + SeSystemProfilePrivilege Profile system performance + SeSystemtimePrivilege Change the system time + SeProfileSingleProcessPrivilege Profile single process + SeIncreaseBasePriorityPrivilege Increase scheduling priority + SeCreatePagefilePrivilege Create a pagefile + SeCreatePermanentPrivilege Create permanent shared objects + SeBackupPrivilege Back up files and directories + SeRestorePrivilege Restore files and directories + SeShutdownPrivilege Shut down the system + SeDebugPrivilege Debug programs + SeAuditPrivilege Generate security audits + SeSystemEnvironmentPrivilege Modify firmware environment values + SeChangeNotifyPrivilege Bypass traverse checking + SeRemoteShutdownPrivilege Force shutdown from a remote system + SeUndockPrivilege Remove computer from docking station + SeSyncAgentPrivilege Synchronize directory service data + SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation + SeManageVolumePrivilege Perform volume maintenance tasks + SeImpersonatePrivilege Impersonate a client after authentication + SeCreateGlobalPrivilege Create global objects + +********************************************************************/ + + PRIVS privs[] = { #if 0 /* usrmgr will display these twice if you include them. We don't use them but we'll keep the bitmasks reserved in privileges.h anyways */ @@ -58,38 +95,6 @@ PRIVS privs[] = { {SE_END, "", ""} }; -#if 0 /* not needed currently */ -PRIVS privs[] = { - {SE_ASSIGN_PRIMARY_TOKEN, "SeAssignPrimaryTokenPrivilege", "Assign Primary Token"}, - {SE_CREATE_TOKEN, "SeCreateTokenPrivilege", "Create Token"}, - {SE_LOCK_MEMORY, "SeLockMemoryPrivilege", "Lock Memory"}, - {SE_INCREASE_QUOTA, "SeIncreaseQuotaPrivilege", "Increase Quota"}, - {SE_UNSOLICITED_INPUT, "SeUnsolicitedInputPrivilege", "Unsolicited Input"}, - {SE_TCB, "SeTcbPrivilege", "Act as part of the operating system"}, - {SE_SECURITY, "SeSecurityPrivilege", "Security Privilege"}, - {SE_TAKE_OWNERSHIP, "SeTakeOwnershipPrivilege", "Take Ownership Privilege"}, - {SE_LOAD_DRIVER, "SeLocalDriverPrivilege", "Local Driver Privilege"}, - {SE_SYSTEM_PROFILE, "SeSystemProfilePrivilege", "System Profile Privilege"}, - {SE_SYSTEM_TIME, "SeSystemtimePrivilege", "System Time"}, - {SE_PROF_SINGLE_PROCESS, "SeProfileSingleProcessPrivilege", "Profile Single Process Privilege"}, - {SE_INC_BASE_PRIORITY, "SeIncreaseBasePriorityPrivilege", "Increase Base Priority Privilege"}, - {SE_CREATE_PAGEFILE, "SeCreatePagefilePrivilege", "Create Pagefile Privilege"}, - {SE_CREATE_PERMANENT, "SeCreatePermanentPrivilege", "Create Permanent"}, - {SE_BACKUP, "SeBackupPrivilege", "Backup Privilege"}, - {SE_RESTORE, "SeRestorePrivilege", "Restore Privilege"}, - {SE_SHUTDOWN, "SeShutdownPrivilege", "Shutdown Privilege"}, - {SE_DEBUG, "SeDebugPrivilege", "Debug Privilege"}, - {SE_AUDIT, "SeAuditPrivilege", "Audit"}, - {SE_SYSTEM_ENVIRONMENT, "SeSystemEnvironmentPrivilege", "System Environment Privilege"}, - {SE_CHANGE_NOTIFY, "SeChangeNotifyPrivilege", "Change Notify"}, - {SE_UNDOCK, "SeUndockPrivilege", "Undock"}, - {SE_SYNC_AGENT, "SeSynchronizationAgentPrivilege", "Synchronization Agent"}, - {SE_ENABLE_DELEGATION, "SeEnableDelegationPrivilege", "Enable Delegation"}, - {SE_ALL_PRIVS, "SeAllPrivileges", "All Privileges"} - {SE_END, "", ""} -}; -#endif - typedef struct priv_sid_list { SE_PRIV privilege; SID_LIST sids; @@ -177,6 +182,24 @@ static BOOL se_priv_empty( const SE_PRIV *mask ) return se_priv_equal( &p1, &se_priv_none ); } +/********************************************************************* + Lookup the SE_PRIV value for a privilege name +*********************************************************************/ + +BOOL se_priv_from_name( const char *name, SE_PRIV *mask ) +{ + int i; + + for ( i=0; !se_priv_equal(&privs[i].se_priv, &se_priv_end); i++ ) { + if ( strequal( privs[i].name, name ) ) { + se_priv_copy( mask, &privs[i].se_priv ); + return True; + } + } + + return False; +} + /*************************************************************************** dump an SE_PRIV structure to the log files ****************************************************************************/ @@ -369,11 +392,9 @@ LUID_ATTR get_privilege_luid( SE_PRIV *mask ) for ( i=0; !se_priv_equal(&privs[i].se_priv, &se_priv_end); i++ ) { - /* just use the index+1 (so its non-zero) into the - array as the lower portion of the LUID */ - if ( se_priv_equal( &privs[i].se_priv, mask ) ) { priv_luid.luid.low = GENERATE_LUID_LOW(i); + break; } } @@ -664,9 +685,6 @@ NTSTATUS dup_luid_attr(TALLOC_CTX *mem_ctx, LUID_ATTR **new_la, LUID_ATTR *old_l { int i; - /* don't crash if the source pointer is NULL (since we don't - do priviledges now anyways) */ - if ( !old_la ) return NT_STATUS_OK; @@ -731,26 +749,6 @@ char* luid_to_privilege_name(const LUID *set) return name; } -/**************************************************************************** - Convert an LUID to a 32-bit mask -****************************************************************************/ - -SE_PRIV* luid_to_privilege_mask(const LUID *set) -{ - static SE_PRIV mask; - int max = count_all_privileges(); - - if (set->high != 0) - return NULL; - - if ( set->low > max ) - return NULL; - - se_priv_copy( &mask, &privs[set->low - 1].se_priv ); - - return &mask; -} - /******************************************************************* return the number of elements in the privlege array *******************************************************************/ diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c index 98c2475a65..45b7509d45 100644 --- a/source3/rpc_client/cli_lsarpc.c +++ b/source3/rpc_client/cli_lsarpc.c @@ -1110,12 +1110,12 @@ NTSTATUS cli_lsa_enum_privsaccount(struct cli_state *cli, TALLOC_CTX *mem_ctx, /** Get a privilege value given its name */ -NTSTATUS cli_lsa_lookupprivvalue(struct cli_state *cli, TALLOC_CTX *mem_ctx, +NTSTATUS cli_lsa_lookup_priv_value(struct cli_state *cli, TALLOC_CTX *mem_ctx, POLICY_HND *pol, const char *name, LUID *luid) { prs_struct qbuf, rbuf; - LSA_Q_LOOKUPPRIVVALUE q; - LSA_R_LOOKUPPRIVVALUE r; + LSA_Q_LOOKUP_PRIV_VALUE q; + LSA_R_LOOKUP_PRIV_VALUE r; NTSTATUS result; ZERO_STRUCT(q); @@ -1128,9 +1128,9 @@ NTSTATUS cli_lsa_lookupprivvalue(struct cli_state *cli, TALLOC_CTX *mem_ctx, /* Marshall data and send request */ - init_lsa_q_lookupprivvalue(&q, pol, name); + init_lsa_q_lookup_priv_value(&q, pol, name); - if (!lsa_io_q_lookupprivvalue("", &q, &qbuf, 0) || + if (!lsa_io_q_lookup_priv_value("", &q, &qbuf, 0) || !rpc_api_pipe_req(cli, PI_LSARPC, LSA_LOOKUPPRIVVALUE, &qbuf, &rbuf)) { result = NT_STATUS_UNSUCCESSFUL; goto done; @@ -1138,7 +1138,7 @@ NTSTATUS cli_lsa_lookupprivvalue(struct cli_state *cli, TALLOC_CTX *mem_ctx, /* Unmarshall response */ - if (!lsa_io_r_lookupprivvalue("", &r, &rbuf, 0)) { + if (!lsa_io_r_lookup_priv_value("", &r, &rbuf, 0)) { result = NT_STATUS_UNSUCCESSFUL; goto done; } diff --git a/source3/rpc_parse/parse_lsa.c b/source3/rpc_parse/parse_lsa.c index e38197ddba..bbff258722 100644 --- a/source3/rpc_parse/parse_lsa.c +++ b/source3/rpc_parse/parse_lsa.c @@ -1981,20 +1981,38 @@ BOOL lsa_io_r_setsystemaccount(const char *desc, LSA_R_SETSYSTEMACCOUNT *r_c, p } -void init_lsa_q_lookupprivvalue(LSA_Q_LOOKUPPRIVVALUE *trn, POLICY_HND *hnd, const char *name) +static void init_lsa_string( LSA_STRING *uni, const char *string ) { - memcpy(&trn->pol, hnd, sizeof(trn->pol)); - init_unistr2(&trn->uni2_right, name, UNI_FLAGS_NONE); - init_uni_hdr(&trn->hdr_right, &trn->uni2_right); + init_unistr2(&uni->unistring, string, UNI_FLAGS_NONE); + init_uni_hdr(&uni->hdr, &uni->unistring); +} + +void init_lsa_q_lookup_priv_value(LSA_Q_LOOKUP_PRIV_VALUE *q_u, POLICY_HND *hnd, const char *name) +{ + memcpy(&q_u->pol, hnd, sizeof(q_u->pol)); + init_lsa_string( &q_u->privname, name ); +} + +BOOL smb_io_lsa_string( const char *desc, LSA_STRING *string, prs_struct *ps, int depth ) +{ + prs_debug(ps, depth, desc, "smb_io_lsa_string"); + depth++; + + if(!smb_io_unihdr ("hdr", &string->hdr, ps, depth)) + return False; + if(!smb_io_unistr2("unistring", &string->unistring, string->hdr.buffer, ps, depth)) + return False; + + return True; } /******************************************************************* - Reads or writes an LSA_Q_LOOKUPPRIVVALUE structure. + Reads or writes an LSA_Q_LOOKUP_PRIV_VALUE structure. ********************************************************************/ -BOOL lsa_io_q_lookupprivvalue(const char *desc, LSA_Q_LOOKUPPRIVVALUE *r_c, prs_struct *ps, int depth) +BOOL lsa_io_q_lookup_priv_value(const char *desc, LSA_Q_LOOKUP_PRIV_VALUE *r_c, prs_struct *ps, int depth) { - prs_debug(ps, depth, desc, "lsa_io_q_lookupprivvalue"); + prs_debug(ps, depth, desc, "lsa_io_q_lookup_priv_value"); depth++; if(!prs_align(ps)) @@ -2002,21 +2020,19 @@ BOOL lsa_io_q_lookupprivvalue(const char *desc, LSA_Q_LOOKUPPRIVVALUE *r_c, prs if(!smb_io_pol_hnd("pol", &r_c->pol, ps, depth)) return False; - if(!smb_io_unihdr ("hdr_name", &r_c->hdr_right, ps, depth)) - return False; - if(!smb_io_unistr2("uni2_right", &r_c->uni2_right, r_c->hdr_right.buffer, ps, depth)) + if(!smb_io_lsa_string("privname", &r_c->privname, ps, depth)) return False; return True; } /******************************************************************* - Reads or writes an LSA_R_LOOKUPPRIVVALUE structure. + Reads or writes an LSA_R_LOOKUP_PRIV_VALUE structure. ********************************************************************/ -BOOL lsa_io_r_lookupprivvalue(const char *desc, LSA_R_LOOKUPPRIVVALUE *r_c, prs_struct *ps, int depth) +BOOL lsa_io_r_lookup_priv_value(const char *desc, LSA_R_LOOKUP_PRIV_VALUE *r_c, prs_struct *ps, int depth) { - prs_debug(ps, depth, desc, "lsa_io_r_lookupprivvalue"); + prs_debug(ps, depth, desc, "lsa_io_r_lookup_priv_value"); depth++; if(!prs_align(ps)) @@ -2271,7 +2287,6 @@ BOOL lsa_io_r_query_info2(const char *desc, LSA_R_QUERY_INFO2 *r_c, return True; } - /******************************************************************* Inits an LSA_Q_ENUM_ACCT_RIGHTS structure. ********************************************************************/ diff --git a/source3/rpc_server/srv_lsa.c b/source3/rpc_server/srv_lsa.c index e3c7832aac..dbd5d8c0bf 100644 --- a/source3/rpc_server/srv_lsa.c +++ b/source3/rpc_server/srv_lsa.c @@ -735,6 +735,39 @@ static BOOL api_lsa_enum_acct_rights(pipes_struct *p) } /*************************************************************************** + api_lsa_lookup_priv_value + ***************************************************************************/ + +static BOOL api_lsa_lookup_priv_value(pipes_struct *p) +{ + LSA_Q_LOOKUP_PRIV_VALUE q_u; + LSA_R_LOOKUP_PRIV_VALUE r_u; + + prs_struct *data = &p->in_data.data; + prs_struct *rdata = &p->out_data.rdata; + + ZERO_STRUCT(q_u); + ZERO_STRUCT(r_u); + + if(!lsa_io_q_lookup_priv_value("", &q_u, data, 0)) { + DEBUG(0,("api_lsa_lookup_priv_value: failed to unmarshall LSA_Q_LOOKUP_PRIV_VALUE .\n")); + return False; + } + + r_u.status = _lsa_lookup_priv_value(p, &q_u, &r_u); + + /* store the response in the SMB stream */ + if(!lsa_io_r_lookup_priv_value("", &r_u, rdata, 0)) { + DEBUG(0,("api_lsa_lookup_priv_value: Failed to marshall LSA_R_LOOKUP_PRIV_VALUE.\n")); + return False; + } + + return True; +} + +#if 0 /* AD DC work in ongoing in Samba 4 */ + +/*************************************************************************** api_lsa_query_info2 ***************************************************************************/ @@ -763,7 +796,7 @@ static BOOL api_lsa_query_info2(pipes_struct *p) return True; } - +#endif /* AD DC work in ongoing in Samba 4 */ /*************************************************************************** \PIPE\ntlsa commands @@ -794,15 +827,19 @@ static struct api_struct api_lsa_cmds[] = { "LSA_REMOVEACCTRIGHTS", LSA_REMOVEACCTRIGHTS, api_lsa_remove_acct_rights }, { "LSA_ENUMACCTRIGHTS" , LSA_ENUMACCTRIGHTS , api_lsa_enum_acct_rights }, { "LSA_QUERYSECOBJ" , LSA_QUERYSECOBJ , api_lsa_query_secobj }, + { "LSA_LOOKUPPRIVVALUE" , LSA_LOOKUPPRIVVALUE , api_lsa_lookup_priv_value } +#if 0 /* AD DC work in ongoing in Samba 4 */ /* be careful of the adding of new RPC's. See commentrs below about ADS DC capabilities */ { "LSA_QUERYINFO2" , LSA_QUERYINFO2 , api_lsa_query_info2 } +#endif /* AD DC work in ongoing in Samba 4 */ }; static int count_fns(void) { int funcs = sizeof(api_lsa_cmds) / sizeof(struct api_struct); +#if 0 /* AD DC work is on going in Samba 4 */ /* * NOTE: Certain calls can not be enabled if we aren't an ADS DC. Make sure * these calls are always last and that you decrement by the amount of calls @@ -811,6 +848,7 @@ static int count_fns(void) if (!(SEC_ADS == lp_security() && ROLE_DOMAIN_PDC == lp_server_role())) { funcs -= 1; } +#endif /* AD DC work in ongoing in Samba 4 */ return funcs; } diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index 225e5efd54..7ea35a91fa 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -8,6 +8,7 @@ * Copyright (C) Rafal Szczesniak 2002, * Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002, * Copyright (C) Simo Sorce 2003. + * Copyright (C) Gerald (Jerry) Carter 2005. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -345,6 +346,8 @@ static NTSTATUS lsa_get_generic_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *s return NT_STATUS_OK; } +#if 0 /* AD DC work in ongoing in Samba 4 */ + /*************************************************************************** Init_dns_dom_info. ***************************************************************************/ @@ -384,6 +387,8 @@ static void init_dns_dom_info(LSA_DNS_DOM_INFO *r_l, const char *nb_name, init_dom_sid2(&r_l->dom_sid, dom_sid); } } +#endif /* AD DC work in ongoing in Samba 4 */ + /*************************************************************************** _lsa_open_policy2. @@ -776,9 +781,6 @@ NTSTATUS _lsa_enum_privs(pipes_struct *p, LSA_Q_ENUM_PRIVS *q_u, LSA_R_ENUM_PRIV DEBUG(10,("_lsa_enum_privs: enum_context:%d total entries:%d\n", enum_context, num_privs)); - if ( !(entries = TALLOC_ZERO_ARRAY(p->mem_ctx, LSA_PRIV_ENTRY, num_privs + 1))) - return NT_STATUS_NO_MEMORY; - if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle)) return NT_STATUS_INVALID_HANDLE; @@ -791,7 +793,6 @@ NTSTATUS _lsa_enum_privs(pipes_struct *p, LSA_Q_ENUM_PRIVS *q_u, LSA_R_ENUM_PRIV if ( !(entries = TALLOC_ZERO_ARRAY(p->mem_ctx, LSA_PRIV_ENTRY, num_privs )) ) return NT_STATUS_NO_MEMORY; - for (i = 0; i < num_privs; i++) { if( i < enum_context) { init_unistr2(&entries[i].name, NULL, UNI_FLAGS_NONE); @@ -1143,7 +1144,7 @@ NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u /* check to see if the pipe_user is root or a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - + get_current_user( &user, p ); if ( user.uid != sec_initial_uid() && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) @@ -1184,7 +1185,7 @@ NTSTATUS _lsa_removeprivs(pipes_struct *p, LSA_Q_REMOVEPRIVS *q_u, LSA_R_REMOVEP /* check to see if the pipe_user is root or a Domain Admin since account_pol.tdb was already opened as root, this is all we have */ - + get_current_user( &user, p ); if ( user.uid != sec_initial_uid() && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) @@ -1261,6 +1262,8 @@ NTSTATUS _lsa_query_secobj(pipes_struct *p, LSA_Q_QUERY_SEC_OBJ *q_u, LSA_R_QUER return r_u->status; } +#if 0 /* AD DC work in ongoing in Samba 4 */ + /*************************************************************************** ***************************************************************************/ @@ -1323,6 +1326,7 @@ NTSTATUS _lsa_query_info2(pipes_struct *p, LSA_Q_QUERY_INFO2 *q_u, LSA_R_QUERY_I return r_u->status; } +#endif /* AD DC work in ongoing in Samba 4 */ /*************************************************************************** ***************************************************************************/ @@ -1474,3 +1478,31 @@ NTSTATUS _lsa_enum_acct_rights(pipes_struct *p, LSA_Q_ENUM_ACCT_RIGHTS *q_u, LSA } +NTSTATUS _lsa_lookup_priv_value(pipes_struct *p, LSA_Q_LOOKUP_PRIV_VALUE *q_u, LSA_R_LOOKUP_PRIV_VALUE *r_u) +{ + struct lsa_info *info = NULL; + fstring name; + LUID_ATTR priv_luid; + SE_PRIV mask; + + /* find the connection policy handle. */ + + if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) + return NT_STATUS_INVALID_HANDLE; + + unistr2_to_ascii(name, &q_u->privname.unistring, sizeof(name)); + + DEBUG(10,("_lsa_priv_get_dispname: name = %s\n", name)); + + if ( !se_priv_from_name( name, &mask ) ) + return NT_STATUS_NO_SUCH_PRIVILEGE; + + priv_luid = get_privilege_luid( &mask ); + + r_u->luid.low = priv_luid.luid.low; + r_u->luid.high = priv_luid.luid.high; + + + return NT_STATUS_OK; +} + diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c index bcb131a76c..f6ecd8c706 100644 --- a/source3/rpcclient/cmd_lsarpc.c +++ b/source3/rpcclient/cmd_lsarpc.c @@ -176,6 +176,8 @@ static NTSTATUS cmd_lsa_lookup_names(struct cli_state *cli, sid_type_lookup(types[i]), types[i]); } + cli_lsa_close(cli, mem_ctx, &pol); + done: return result; } @@ -233,7 +235,7 @@ static NTSTATUS cmd_lsa_lookup_sids(struct cli_state *cli, TALLOC_CTX *mem_ctx, /* Print results */ - for (i = 0; i < argc - 1; i++) { + for (i = 0; i < (argc - 1); i++) { fstring sid_str; sid_to_string(sid_str, &sids[i]); @@ -242,6 +244,8 @@ static NTSTATUS cmd_lsa_lookup_sids(struct cli_state *cli, TALLOC_CTX *mem_ctx, names[i] ? names[i] : "*unknown*", types[i]); } + cli_lsa_close(cli, mem_ctx, &pol); + done: return result; } @@ -673,7 +677,7 @@ static NTSTATUS cmd_lsa_remove_acct_rights(struct cli_state *cli, /* Get a privilege value given its name */ -static NTSTATUS cmd_lsa_lookupprivvalue(struct cli_state *cli, +static NTSTATUS cmd_lsa_lookup_priv_value(struct cli_state *cli, TALLOC_CTX *mem_ctx, int argc, const char **argv) { @@ -693,7 +697,7 @@ static NTSTATUS cmd_lsa_lookupprivvalue(struct cli_state *cli, if (!NT_STATUS_IS_OK(result)) goto done; - result = cli_lsa_lookupprivvalue(cli, mem_ctx, &pol, argv[1], &luid); + result = cli_lsa_lookup_priv_value(cli, mem_ctx, &pol, argv[1], &luid); if (!NT_STATUS_IS_OK(result)) goto done; @@ -765,7 +769,7 @@ struct cmd_set lsarpc_commands[] = { #endif { "lsaaddacctrights", RPC_RTYPE_NTSTATUS, cmd_lsa_add_acct_rights, NULL, PI_LSARPC, "Add rights to an account", "" }, { "lsaremoveacctrights", RPC_RTYPE_NTSTATUS, cmd_lsa_remove_acct_rights, NULL, PI_LSARPC, "Remove rights from an account", "" }, - { "lsalookupprivvalue", RPC_RTYPE_NTSTATUS, cmd_lsa_lookupprivvalue, NULL, PI_LSARPC, "Get a privilege value given its name", "" }, + { "lsalookupprivvalue", RPC_RTYPE_NTSTATUS, cmd_lsa_lookup_priv_value, NULL, PI_LSARPC, "Get a privilege value given its name", "" }, { "lsaquerysecobj", RPC_RTYPE_NTSTATUS, cmd_lsa_query_secobj, NULL, PI_LSARPC, "Query LSA security object", "" }, { NULL } |