summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2002-10-18 19:46:28 +0000
committerJeremy Allison <jra@samba.org>2002-10-18 19:46:28 +0000
commite13dd2f3025a557bbd71765a684005562591843d (patch)
tree7f36802b8b2baffd502f56f89b686417857a45b8 /source3
parent0fc3596a95dc54c27cbb3edf6ebb264e646299af (diff)
downloadsamba-e13dd2f3025a557bbd71765a684005562591843d.tar.gz
samba-e13dd2f3025a557bbd71765a684005562591843d.tar.bz2
samba-e13dd2f3025a557bbd71765a684005562591843d.zip
Start to merge the new ACL mapping code from Andreas Gruenbacher <agruen@suse.de>.
Jeremy. (This used to be commit f6103f866a5e698ab55fdab1444a14e3d8da16bb)
Diffstat (limited to 'source3')
-rw-r--r--source3/lib/util_sid.c106
-rw-r--r--source3/passdb/util_sam_sid.c48
2 files changed, 106 insertions, 48 deletions
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index c5b4a143ea..f01479f1cc 100644
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -55,6 +55,11 @@ DOM_SID global_sid_Builtin_Print_Operators; /* Builtin print operators */
DOM_SID global_sid_Builtin_Backup_Operators; /* Builtin backup operators */
DOM_SID global_sid_Builtin_Replicator; /* Builtin replicator */
+#define SECURITY_NULL_SID_AUTHORITY 0
+#define SECURITY_WORLD_SID_AUTHORITY 1
+#define SECURITY_LOCAL_SID_AUTHORITY 2
+#define SECURITY_CREATOR_SID_AUTHORITY 3
+#define SECURITY_NT_AUTHORITY 5
/*
* An NT compatible anonymous token.
@@ -63,14 +68,14 @@ DOM_SID global_sid_Builtin_Replicator; /* Builtin replicator */
static DOM_SID anon_sid_array[3];
NT_USER_TOKEN anonymous_token = {
- 3,
- anon_sid_array
+ 3,
+ anon_sid_array
};
static DOM_SID system_sid_array[4];
NT_USER_TOKEN system_token = {
- 1,
- system_sid_array
+ 1,
+ system_sid_array
};
/****************************************************************************
@@ -81,13 +86,13 @@ const static struct {
enum SID_NAME_USE sid_type;
char *string;
} sid_name_type[] = {
- {SID_NAME_USER, "user"},
- {SID_NAME_DOM_GRP, "domain group"},
- {SID_NAME_DOMAIN, "domain"},
- {SID_NAME_ALIAS, "local group"},
- {SID_NAME_WKN_GRP, "well-known group"},
- {SID_NAME_DELETED, "deleted account"},
- {SID_NAME_INVALID, "invalid account"},
+ {SID_NAME_USER, "User"},
+ {SID_NAME_DOM_GRP, "Domain Group"},
+ {SID_NAME_DOMAIN, "Domain"},
+ {SID_NAME_ALIAS, "Local Group"},
+ {SID_NAME_WKN_GRP, "Well-known Group"},
+ {SID_NAME_DELETED, "Deleted Account"},
+ {SID_NAME_INVALID, "Invalid Account"},
{SID_NAME_UNKNOWN, "UNKNOWN"},
{SID_NAME_USE_NONE, NULL}
@@ -106,10 +111,8 @@ const char *sid_type_lookup(uint32 sid_type)
/* Default return */
return "SID *TYPE* is INVALID";
-
}
-
/****************************************************************************
Creates some useful well known sids
****************************************************************************/
@@ -117,22 +120,30 @@ const char *sid_type_lookup(uint32 sid_type)
void generate_wellknown_sids(void)
{
static BOOL initialised = False;
+
if (initialised)
return;
+ /* SECURITY_NULL_SID_AUTHORITY */
+ string_to_sid(&global_sid_NULL, "S-1-0-0");
+
+ /* SECURITY_WORLD_SID_AUTHORITY */
string_to_sid(&global_sid_World_Domain, "S-1-1");
string_to_sid(&global_sid_World, "S-1-1-0");
+
+ /* SECURITY_CREATOR_SID_AUTHORITY */
string_to_sid(&global_sid_Creator_Owner_Domain, "S-1-3");
string_to_sid(&global_sid_Creator_Owner, "S-1-3-0");
string_to_sid(&global_sid_Creator_Group, "S-1-3-1");
+
+ /* SECURITY_NT_AUTHORITY */
string_to_sid(&global_sid_NT_Authority, "S-1-5");
- string_to_sid(&global_sid_System, "S-1-5-18");
- string_to_sid(&global_sid_NULL, "S-1-0-0");
- string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11");
string_to_sid(&global_sid_Network, "S-1-5-2");
string_to_sid(&global_sid_Anonymous, "S-1-5-7");
+ string_to_sid(&global_sid_Authenticated_Users, "S-1-5-11");
+ string_to_sid(&global_sid_System, "S-1-5-18");
- /* create well known builtin SIDs */
+ /* SECURITY_BUILTIN_DOMAIN_RID */
string_to_sid(&global_sid_Builtin, "S-1-5-32");
string_to_sid(&global_sid_Builtin_Administrators, "S-1-5-32-544");
string_to_sid(&global_sid_Builtin_Users, "S-1-5-32-545");
@@ -195,40 +206,59 @@ void split_domain_name(const char *fullname, char *domain, char *name)
fullname, domain, name));
}
+/****************************************************************************
+ Test if a SID is wellknown and resolvable.
+****************************************************************************/
+
+BOOL resolvable_wellknown_sid(DOM_SID *sid)
+{
+ uint32 ia = (sid->id_auth[5]) +
+ (sid->id_auth[4] << 8 ) +
+ (sid->id_auth[3] << 16) +
+ (sid->id_auth[2] << 24);
+
+ if (sid->sid_rev_num != SEC_DESC_REVISION || sid->num_auths < 1)
+ return False;
+
+ return (ia == SECURITY_WORLD_SID_AUTHORITY ||
+ ia == SECURITY_CREATOR_SID_AUTHORITY);
+}
+
/*****************************************************************
Convert a SID to an ascii string.
*****************************************************************/
char *sid_to_string(fstring sidstr_out, const DOM_SID *sid)
{
- char subauth[16];
- int i;
- uint32 ia;
+ char subauth[16];
+ int i;
+ uint32 ia;
- if (!sid) {
- fstrcpy(sidstr_out, "(NULL SID)");
- return sidstr_out;
- }
+ if (!sid) {
+ fstrcpy(sidstr_out, "(NULL SID)");
+ return sidstr_out;
+ }
- /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */
- ia = (sid->id_auth[5]) +
- (sid->id_auth[4] << 8 ) +
- (sid->id_auth[3] << 16) +
- (sid->id_auth[2] << 24);
+ /* BIG NOTE: this function only does SIDS where the identauth is not >= 2^32 */
+ ia = (sid->id_auth[5]) +
+ (sid->id_auth[4] << 8 ) +
+ (sid->id_auth[3] << 16) +
+ (sid->id_auth[2] << 24);
- slprintf(sidstr_out, sizeof(fstring) - 1, "S-%u-%lu", (unsigned int)sid->sid_rev_num, (unsigned long)ia);
+ slprintf(sidstr_out, sizeof(fstring) - 1, "S-%u-%lu", (unsigned int)sid->sid_rev_num, (unsigned long)ia);
- for (i = 0; i < sid->num_auths; i++) {
- slprintf(subauth, sizeof(subauth)-1, "-%lu", (unsigned long)sid->sub_auths[i]);
- fstrcat(sidstr_out, subauth);
- }
+ for (i = 0; i < sid->num_auths; i++) {
+ slprintf(subauth, sizeof(subauth)-1, "-%lu", (unsigned long)sid->sub_auths[i]);
+ fstrcat(sidstr_out, subauth);
+ }
- return sidstr_out;
+ return sidstr_out;
}
-/*
- useful function for debug lines
-*/
+/*****************************************************************
+ Useful function for debug lines.
+*****************************************************************/
+
const char *sid_string_static(const DOM_SID *sid)
{
static fstring sid_str;
diff --git a/source3/passdb/util_sam_sid.c b/source3/passdb/util_sam_sid.c
index 6ec1e48ab3..60998003f6 100644
--- a/source3/passdb/util_sam_sid.c
+++ b/source3/passdb/util_sam_sid.c
@@ -54,7 +54,8 @@ static known_sid_users everyone_users[] = {
{0, (enum SID_NAME_USE)0, NULL}};
static known_sid_users creator_owner_users[] = {
- { 0, SID_NAME_ALIAS, "Creator Owner" },
+ { 0, SID_NAME_WKN_GRP, "Creator Owner" },
+ { 1, SID_NAME_WKN_GRP, "Creator Group" },
{0, (enum SID_NAME_USE)0, NULL}};
static known_sid_users nt_authority_users[] = {
@@ -80,11 +81,10 @@ static known_sid_users builtin_groups[] = {
{ BUILTIN_ALIAS_RID_BACKUP_OPS, SID_NAME_ALIAS, "Backup Operators" },
{ 0, (enum SID_NAME_USE)0, NULL}};
-
-
/**************************************************************************
- quick init function
- *************************************************************************/
+ Quick init function.
+*************************************************************************/
+
static void init_sid_name_map (void)
{
int i = 0;
@@ -105,8 +105,7 @@ static void init_sid_name_map (void)
sid_name_map[i].name = global_myname;
sid_name_map[i].known_users = NULL;
i++;
- }
- else {
+ } else {
sid_name_map[i].sid = get_global_sam_sid();
sid_name_map[i].name = global_myname;
sid_name_map[i].known_users = NULL;
@@ -133,8 +132,7 @@ static void init_sid_name_map (void)
sid_name_map[i].known_users = &nt_authority_users[0];
i++;
-
- /* end of array */
+ /* End of array. */
sid_name_map[i].sid = NULL;
sid_name_map[i].name = NULL;
sid_name_map[i].known_users = NULL;
@@ -142,7 +140,6 @@ static void init_sid_name_map (void)
sid_name_map_initialized = True;
return;
-
}
/**************************************************************************
@@ -257,6 +254,7 @@ BOOL map_domain_name_to_sid(DOM_SID *sid, char *nt_domain)
/*****************************************************************
Check if the SID is our domain SID (S-1-5-21-x-y-z).
*****************************************************************/
+
BOOL sid_check_is_domain(const DOM_SID *sid)
{
return sid_equal(sid, get_global_sam_sid());
@@ -265,6 +263,7 @@ BOOL sid_check_is_domain(const DOM_SID *sid)
/*****************************************************************
Check if the SID is our domain SID (S-1-5-21-x-y-z).
*****************************************************************/
+
BOOL sid_check_is_in_our_domain(const DOM_SID *sid)
{
DOM_SID dom_sid;
@@ -276,3 +275,32 @@ BOOL sid_check_is_in_our_domain(const DOM_SID *sid)
return sid_equal(&dom_sid, get_global_sam_sid());
}
+/**************************************************************************
+ Try and map a name to one of the well known SIDs.
+***************************************************************************/
+
+BOOL map_name_to_wellknown_sid(DOM_SID *sid, enum SID_NAME_USE *use, const char *name)
+{
+ int i, j;
+
+ if (!sid_name_map_initialized)
+ init_sid_name_map();
+
+ for (i=0; sid_name_map[i].sid != NULL; i++) {
+ known_sid_users *users = sid_name_map[i].known_users;
+
+ if (users == NULL)
+ continue;
+
+ for (j=0; users[j].known_user_name != NULL; j++) {
+ if (strequal(users[j].known_user_name, name) == 0) {
+ sid_copy(sid, sid_name_map[i].sid);
+ sid_append_rid(sid, users[j].rid);
+ *use = users[j].sid_name_use;
+ return True;
+ }
+ }
+ }
+
+ return False;
+}