summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2005-03-10 18:50:47 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 10:55:57 -0500
commit66df8431ec092c4e629fc07e8e5a242ff3821b2d (patch)
tree17d58c731f37eaf257e194e38d04dbe299d29551 /source3
parent3e4bc25f44c9456cab00b4919b2ead22d5ea91f7 (diff)
downloadsamba-66df8431ec092c4e629fc07e8e5a242ff3821b2d.tar.gz
samba-66df8431ec092c4e629fc07e8e5a242ff3821b2d.tar.bz2
samba-66df8431ec092c4e629fc07e8e5a242ff3821b2d.zip
r5726: merge LsaLookupPrivValue() code from trunk
(This used to be commit 277203b5356af58ce62eb4eec0db2eccadeeffd6)
Diffstat (limited to 'source3')
-rw-r--r--source3/include/privileges.h2
-rw-r--r--source3/include/rpc_lsa.h19
-rw-r--r--source3/lib/privileges.c116
-rw-r--r--source3/rpc_client/cli_lsarpc.c12
-rw-r--r--source3/rpc_parse/parse_lsa.c43
-rw-r--r--source3/rpc_server/srv_lsa.c40
-rw-r--r--source3/rpc_server/srv_lsa_nt.c44
-rw-r--r--source3/rpcclient/cmd_lsarpc.c12
8 files changed, 187 insertions, 101 deletions
diff --git a/source3/include/privileges.h b/source3/include/privileges.h
index 5266e46e3a..c7a9b0560d 100644
--- a/source3/include/privileges.h
+++ b/source3/include/privileges.h
@@ -6,7 +6,7 @@
Copyright (C) Luke Kenneth Casson Leighton 1996-1997
Copyright (C) Paul Ashton 1997
Copyright (C) Simo Sorce 2003
- Copyright (C) Gerald (Jerry) Carter 2004
+ Copyright (C) Gerald (Jerry) Carter 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
diff --git a/source3/include/rpc_lsa.h b/source3/include/rpc_lsa.h
index 01add64727..a0d78280c2 100644
--- a/source3/include/rpc_lsa.h
+++ b/source3/include/rpc_lsa.h
@@ -698,20 +698,20 @@ typedef struct lsa_r_setsystemaccount
NTSTATUS status;
} LSA_R_SETSYSTEMACCOUNT;
+typedef struct {
+ UNIHDR hdr;
+ UNISTR2 unistring;
+} LSA_STRING;
-typedef struct lsa_q_lookupprivvalue
-{
+typedef struct {
POLICY_HND pol; /* policy handle */
- UNIHDR hdr_right;
- UNISTR2 uni2_right;
-} LSA_Q_LOOKUPPRIVVALUE;
+ LSA_STRING privname;
+} LSA_Q_LOOKUP_PRIV_VALUE;
-typedef struct lsa_r_lookupprivvalue
-{
+typedef struct {
LUID luid;
NTSTATUS status;
-} LSA_R_LOOKUPPRIVVALUE;
-
+} LSA_R_LOOKUP_PRIV_VALUE;
typedef struct lsa_q_addprivs
{
@@ -740,5 +740,4 @@ typedef struct lsa_r_removeprivs
NTSTATUS status;
} LSA_R_REMOVEPRIVS;
-
#endif /* _RPC_LSA_H */
diff --git a/source3/lib/privileges.c b/source3/lib/privileges.c
index 5a5afa4d72..8b5348e1f2 100644
--- a/source3/lib/privileges.c
+++ b/source3/lib/privileges.c
@@ -3,7 +3,7 @@
Privileges handling functions
Copyright (C) Jean François Micouleau 1998-2001
Copyright (C) Simo Sorce 2002-2003
- Copyright (C) Gerald (Jerry) Carter 2004
+ Copyright (C) Gerald (Jerry) Carter 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -40,6 +40,43 @@ const SE_PRIV se_add_users = SE_ADD_USERS;
const SE_PRIV se_disk_operators = SE_DISK_OPERATOR;
const SE_PRIV se_remote_shutdown = SE_REMOTE_SHUTDOWN;
+/********************************************************************
+ This is a list of privileges reported by a WIndows 2000 SP4 AD DC
+ just for reference purposes:
+
+ SeCreateTokenPrivilege Create a token object
+ SeAssignPrimaryTokenPrivilege Replace a process level token
+ SeLockMemoryPrivilege Lock pages in memory
+ SeIncreaseQuotaPrivilege Increase quotas
+ SeMachineAccountPrivilege Add workstations to domain
+ SeTcbPrivilege Act as part of the operating system
+ SeSecurityPrivilege Manage auditing and security log
+ SeTakeOwnershipPrivilege Take ownership of files or other objects
+ SeLoadDriverPrivilege Load and unload device drivers
+ SeSystemProfilePrivilege Profile system performance
+ SeSystemtimePrivilege Change the system time
+ SeProfileSingleProcessPrivilege Profile single process
+ SeIncreaseBasePriorityPrivilege Increase scheduling priority
+ SeCreatePagefilePrivilege Create a pagefile
+ SeCreatePermanentPrivilege Create permanent shared objects
+ SeBackupPrivilege Back up files and directories
+ SeRestorePrivilege Restore files and directories
+ SeShutdownPrivilege Shut down the system
+ SeDebugPrivilege Debug programs
+ SeAuditPrivilege Generate security audits
+ SeSystemEnvironmentPrivilege Modify firmware environment values
+ SeChangeNotifyPrivilege Bypass traverse checking
+ SeRemoteShutdownPrivilege Force shutdown from a remote system
+ SeUndockPrivilege Remove computer from docking station
+ SeSyncAgentPrivilege Synchronize directory service data
+ SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation
+ SeManageVolumePrivilege Perform volume maintenance tasks
+ SeImpersonatePrivilege Impersonate a client after authentication
+ SeCreateGlobalPrivilege Create global objects
+
+********************************************************************/
+
+
PRIVS privs[] = {
#if 0 /* usrmgr will display these twice if you include them. We don't
use them but we'll keep the bitmasks reserved in privileges.h anyways */
@@ -58,38 +95,6 @@ PRIVS privs[] = {
{SE_END, "", ""}
};
-#if 0 /* not needed currently */
-PRIVS privs[] = {
- {SE_ASSIGN_PRIMARY_TOKEN, "SeAssignPrimaryTokenPrivilege", "Assign Primary Token"},
- {SE_CREATE_TOKEN, "SeCreateTokenPrivilege", "Create Token"},
- {SE_LOCK_MEMORY, "SeLockMemoryPrivilege", "Lock Memory"},
- {SE_INCREASE_QUOTA, "SeIncreaseQuotaPrivilege", "Increase Quota"},
- {SE_UNSOLICITED_INPUT, "SeUnsolicitedInputPrivilege", "Unsolicited Input"},
- {SE_TCB, "SeTcbPrivilege", "Act as part of the operating system"},
- {SE_SECURITY, "SeSecurityPrivilege", "Security Privilege"},
- {SE_TAKE_OWNERSHIP, "SeTakeOwnershipPrivilege", "Take Ownership Privilege"},
- {SE_LOAD_DRIVER, "SeLocalDriverPrivilege", "Local Driver Privilege"},
- {SE_SYSTEM_PROFILE, "SeSystemProfilePrivilege", "System Profile Privilege"},
- {SE_SYSTEM_TIME, "SeSystemtimePrivilege", "System Time"},
- {SE_PROF_SINGLE_PROCESS, "SeProfileSingleProcessPrivilege", "Profile Single Process Privilege"},
- {SE_INC_BASE_PRIORITY, "SeIncreaseBasePriorityPrivilege", "Increase Base Priority Privilege"},
- {SE_CREATE_PAGEFILE, "SeCreatePagefilePrivilege", "Create Pagefile Privilege"},
- {SE_CREATE_PERMANENT, "SeCreatePermanentPrivilege", "Create Permanent"},
- {SE_BACKUP, "SeBackupPrivilege", "Backup Privilege"},
- {SE_RESTORE, "SeRestorePrivilege", "Restore Privilege"},
- {SE_SHUTDOWN, "SeShutdownPrivilege", "Shutdown Privilege"},
- {SE_DEBUG, "SeDebugPrivilege", "Debug Privilege"},
- {SE_AUDIT, "SeAuditPrivilege", "Audit"},
- {SE_SYSTEM_ENVIRONMENT, "SeSystemEnvironmentPrivilege", "System Environment Privilege"},
- {SE_CHANGE_NOTIFY, "SeChangeNotifyPrivilege", "Change Notify"},
- {SE_UNDOCK, "SeUndockPrivilege", "Undock"},
- {SE_SYNC_AGENT, "SeSynchronizationAgentPrivilege", "Synchronization Agent"},
- {SE_ENABLE_DELEGATION, "SeEnableDelegationPrivilege", "Enable Delegation"},
- {SE_ALL_PRIVS, "SeAllPrivileges", "All Privileges"}
- {SE_END, "", ""}
-};
-#endif
-
typedef struct priv_sid_list {
SE_PRIV privilege;
SID_LIST sids;
@@ -177,6 +182,24 @@ static BOOL se_priv_empty( const SE_PRIV *mask )
return se_priv_equal( &p1, &se_priv_none );
}
+/*********************************************************************
+ Lookup the SE_PRIV value for a privilege name
+*********************************************************************/
+
+BOOL se_priv_from_name( const char *name, SE_PRIV *mask )
+{
+ int i;
+
+ for ( i=0; !se_priv_equal(&privs[i].se_priv, &se_priv_end); i++ ) {
+ if ( strequal( privs[i].name, name ) ) {
+ se_priv_copy( mask, &privs[i].se_priv );
+ return True;
+ }
+ }
+
+ return False;
+}
+
/***************************************************************************
dump an SE_PRIV structure to the log files
****************************************************************************/
@@ -369,11 +392,9 @@ LUID_ATTR get_privilege_luid( SE_PRIV *mask )
for ( i=0; !se_priv_equal(&privs[i].se_priv, &se_priv_end); i++ ) {
- /* just use the index+1 (so its non-zero) into the
- array as the lower portion of the LUID */
-
if ( se_priv_equal( &privs[i].se_priv, mask ) ) {
priv_luid.luid.low = GENERATE_LUID_LOW(i);
+ break;
}
}
@@ -664,9 +685,6 @@ NTSTATUS dup_luid_attr(TALLOC_CTX *mem_ctx, LUID_ATTR **new_la, LUID_ATTR *old_l
{
int i;
- /* don't crash if the source pointer is NULL (since we don't
- do priviledges now anyways) */
-
if ( !old_la )
return NT_STATUS_OK;
@@ -731,26 +749,6 @@ char* luid_to_privilege_name(const LUID *set)
return name;
}
-/****************************************************************************
- Convert an LUID to a 32-bit mask
-****************************************************************************/
-
-SE_PRIV* luid_to_privilege_mask(const LUID *set)
-{
- static SE_PRIV mask;
- int max = count_all_privileges();
-
- if (set->high != 0)
- return NULL;
-
- if ( set->low > max )
- return NULL;
-
- se_priv_copy( &mask, &privs[set->low - 1].se_priv );
-
- return &mask;
-}
-
/*******************************************************************
return the number of elements in the privlege array
*******************************************************************/
diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c
index 98c2475a65..45b7509d45 100644
--- a/source3/rpc_client/cli_lsarpc.c
+++ b/source3/rpc_client/cli_lsarpc.c
@@ -1110,12 +1110,12 @@ NTSTATUS cli_lsa_enum_privsaccount(struct cli_state *cli, TALLOC_CTX *mem_ctx,
/** Get a privilege value given its name */
-NTSTATUS cli_lsa_lookupprivvalue(struct cli_state *cli, TALLOC_CTX *mem_ctx,
+NTSTATUS cli_lsa_lookup_priv_value(struct cli_state *cli, TALLOC_CTX *mem_ctx,
POLICY_HND *pol, const char *name, LUID *luid)
{
prs_struct qbuf, rbuf;
- LSA_Q_LOOKUPPRIVVALUE q;
- LSA_R_LOOKUPPRIVVALUE r;
+ LSA_Q_LOOKUP_PRIV_VALUE q;
+ LSA_R_LOOKUP_PRIV_VALUE r;
NTSTATUS result;
ZERO_STRUCT(q);
@@ -1128,9 +1128,9 @@ NTSTATUS cli_lsa_lookupprivvalue(struct cli_state *cli, TALLOC_CTX *mem_ctx,
/* Marshall data and send request */
- init_lsa_q_lookupprivvalue(&q, pol, name);
+ init_lsa_q_lookup_priv_value(&q, pol, name);
- if (!lsa_io_q_lookupprivvalue("", &q, &qbuf, 0) ||
+ if (!lsa_io_q_lookup_priv_value("", &q, &qbuf, 0) ||
!rpc_api_pipe_req(cli, PI_LSARPC, LSA_LOOKUPPRIVVALUE, &qbuf, &rbuf)) {
result = NT_STATUS_UNSUCCESSFUL;
goto done;
@@ -1138,7 +1138,7 @@ NTSTATUS cli_lsa_lookupprivvalue(struct cli_state *cli, TALLOC_CTX *mem_ctx,
/* Unmarshall response */
- if (!lsa_io_r_lookupprivvalue("", &r, &rbuf, 0)) {
+ if (!lsa_io_r_lookup_priv_value("", &r, &rbuf, 0)) {
result = NT_STATUS_UNSUCCESSFUL;
goto done;
}
diff --git a/source3/rpc_parse/parse_lsa.c b/source3/rpc_parse/parse_lsa.c
index e38197ddba..bbff258722 100644
--- a/source3/rpc_parse/parse_lsa.c
+++ b/source3/rpc_parse/parse_lsa.c
@@ -1981,20 +1981,38 @@ BOOL lsa_io_r_setsystemaccount(const char *desc, LSA_R_SETSYSTEMACCOUNT *r_c, p
}
-void init_lsa_q_lookupprivvalue(LSA_Q_LOOKUPPRIVVALUE *trn, POLICY_HND *hnd, const char *name)
+static void init_lsa_string( LSA_STRING *uni, const char *string )
{
- memcpy(&trn->pol, hnd, sizeof(trn->pol));
- init_unistr2(&trn->uni2_right, name, UNI_FLAGS_NONE);
- init_uni_hdr(&trn->hdr_right, &trn->uni2_right);
+ init_unistr2(&uni->unistring, string, UNI_FLAGS_NONE);
+ init_uni_hdr(&uni->hdr, &uni->unistring);
+}
+
+void init_lsa_q_lookup_priv_value(LSA_Q_LOOKUP_PRIV_VALUE *q_u, POLICY_HND *hnd, const char *name)
+{
+ memcpy(&q_u->pol, hnd, sizeof(q_u->pol));
+ init_lsa_string( &q_u->privname, name );
+}
+
+BOOL smb_io_lsa_string( const char *desc, LSA_STRING *string, prs_struct *ps, int depth )
+{
+ prs_debug(ps, depth, desc, "smb_io_lsa_string");
+ depth++;
+
+ if(!smb_io_unihdr ("hdr", &string->hdr, ps, depth))
+ return False;
+ if(!smb_io_unistr2("unistring", &string->unistring, string->hdr.buffer, ps, depth))
+ return False;
+
+ return True;
}
/*******************************************************************
- Reads or writes an LSA_Q_LOOKUPPRIVVALUE structure.
+ Reads or writes an LSA_Q_LOOKUP_PRIV_VALUE structure.
********************************************************************/
-BOOL lsa_io_q_lookupprivvalue(const char *desc, LSA_Q_LOOKUPPRIVVALUE *r_c, prs_struct *ps, int depth)
+BOOL lsa_io_q_lookup_priv_value(const char *desc, LSA_Q_LOOKUP_PRIV_VALUE *r_c, prs_struct *ps, int depth)
{
- prs_debug(ps, depth, desc, "lsa_io_q_lookupprivvalue");
+ prs_debug(ps, depth, desc, "lsa_io_q_lookup_priv_value");
depth++;
if(!prs_align(ps))
@@ -2002,21 +2020,19 @@ BOOL lsa_io_q_lookupprivvalue(const char *desc, LSA_Q_LOOKUPPRIVVALUE *r_c, prs
if(!smb_io_pol_hnd("pol", &r_c->pol, ps, depth))
return False;
- if(!smb_io_unihdr ("hdr_name", &r_c->hdr_right, ps, depth))
- return False;
- if(!smb_io_unistr2("uni2_right", &r_c->uni2_right, r_c->hdr_right.buffer, ps, depth))
+ if(!smb_io_lsa_string("privname", &r_c->privname, ps, depth))
return False;
return True;
}
/*******************************************************************
- Reads or writes an LSA_R_LOOKUPPRIVVALUE structure.
+ Reads or writes an LSA_R_LOOKUP_PRIV_VALUE structure.
********************************************************************/
-BOOL lsa_io_r_lookupprivvalue(const char *desc, LSA_R_LOOKUPPRIVVALUE *r_c, prs_struct *ps, int depth)
+BOOL lsa_io_r_lookup_priv_value(const char *desc, LSA_R_LOOKUP_PRIV_VALUE *r_c, prs_struct *ps, int depth)
{
- prs_debug(ps, depth, desc, "lsa_io_r_lookupprivvalue");
+ prs_debug(ps, depth, desc, "lsa_io_r_lookup_priv_value");
depth++;
if(!prs_align(ps))
@@ -2271,7 +2287,6 @@ BOOL lsa_io_r_query_info2(const char *desc, LSA_R_QUERY_INFO2 *r_c,
return True;
}
-
/*******************************************************************
Inits an LSA_Q_ENUM_ACCT_RIGHTS structure.
********************************************************************/
diff --git a/source3/rpc_server/srv_lsa.c b/source3/rpc_server/srv_lsa.c
index e3c7832aac..dbd5d8c0bf 100644
--- a/source3/rpc_server/srv_lsa.c
+++ b/source3/rpc_server/srv_lsa.c
@@ -735,6 +735,39 @@ static BOOL api_lsa_enum_acct_rights(pipes_struct *p)
}
/***************************************************************************
+ api_lsa_lookup_priv_value
+ ***************************************************************************/
+
+static BOOL api_lsa_lookup_priv_value(pipes_struct *p)
+{
+ LSA_Q_LOOKUP_PRIV_VALUE q_u;
+ LSA_R_LOOKUP_PRIV_VALUE r_u;
+
+ prs_struct *data = &p->in_data.data;
+ prs_struct *rdata = &p->out_data.rdata;
+
+ ZERO_STRUCT(q_u);
+ ZERO_STRUCT(r_u);
+
+ if(!lsa_io_q_lookup_priv_value("", &q_u, data, 0)) {
+ DEBUG(0,("api_lsa_lookup_priv_value: failed to unmarshall LSA_Q_LOOKUP_PRIV_VALUE .\n"));
+ return False;
+ }
+
+ r_u.status = _lsa_lookup_priv_value(p, &q_u, &r_u);
+
+ /* store the response in the SMB stream */
+ if(!lsa_io_r_lookup_priv_value("", &r_u, rdata, 0)) {
+ DEBUG(0,("api_lsa_lookup_priv_value: Failed to marshall LSA_R_LOOKUP_PRIV_VALUE.\n"));
+ return False;
+ }
+
+ return True;
+}
+
+#if 0 /* AD DC work in ongoing in Samba 4 */
+
+/***************************************************************************
api_lsa_query_info2
***************************************************************************/
@@ -763,7 +796,7 @@ static BOOL api_lsa_query_info2(pipes_struct *p)
return True;
}
-
+#endif /* AD DC work in ongoing in Samba 4 */
/***************************************************************************
\PIPE\ntlsa commands
@@ -794,15 +827,19 @@ static struct api_struct api_lsa_cmds[] =
{ "LSA_REMOVEACCTRIGHTS", LSA_REMOVEACCTRIGHTS, api_lsa_remove_acct_rights },
{ "LSA_ENUMACCTRIGHTS" , LSA_ENUMACCTRIGHTS , api_lsa_enum_acct_rights },
{ "LSA_QUERYSECOBJ" , LSA_QUERYSECOBJ , api_lsa_query_secobj },
+ { "LSA_LOOKUPPRIVVALUE" , LSA_LOOKUPPRIVVALUE , api_lsa_lookup_priv_value }
+#if 0 /* AD DC work in ongoing in Samba 4 */
/* be careful of the adding of new RPC's. See commentrs below about
ADS DC capabilities */
{ "LSA_QUERYINFO2" , LSA_QUERYINFO2 , api_lsa_query_info2 }
+#endif /* AD DC work in ongoing in Samba 4 */
};
static int count_fns(void)
{
int funcs = sizeof(api_lsa_cmds) / sizeof(struct api_struct);
+#if 0 /* AD DC work is on going in Samba 4 */
/*
* NOTE: Certain calls can not be enabled if we aren't an ADS DC. Make sure
* these calls are always last and that you decrement by the amount of calls
@@ -811,6 +848,7 @@ static int count_fns(void)
if (!(SEC_ADS == lp_security() && ROLE_DOMAIN_PDC == lp_server_role())) {
funcs -= 1;
}
+#endif /* AD DC work in ongoing in Samba 4 */
return funcs;
}
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index 225e5efd54..7ea35a91fa 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -8,6 +8,7 @@
* Copyright (C) Rafal Szczesniak 2002,
* Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002,
* Copyright (C) Simo Sorce 2003.
+ * Copyright (C) Gerald (Jerry) Carter 2005.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -345,6 +346,8 @@ static NTSTATUS lsa_get_generic_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *s
return NT_STATUS_OK;
}
+#if 0 /* AD DC work in ongoing in Samba 4 */
+
/***************************************************************************
Init_dns_dom_info.
***************************************************************************/
@@ -384,6 +387,8 @@ static void init_dns_dom_info(LSA_DNS_DOM_INFO *r_l, const char *nb_name,
init_dom_sid2(&r_l->dom_sid, dom_sid);
}
}
+#endif /* AD DC work in ongoing in Samba 4 */
+
/***************************************************************************
_lsa_open_policy2.
@@ -776,9 +781,6 @@ NTSTATUS _lsa_enum_privs(pipes_struct *p, LSA_Q_ENUM_PRIVS *q_u, LSA_R_ENUM_PRIV
DEBUG(10,("_lsa_enum_privs: enum_context:%d total entries:%d\n",
enum_context, num_privs));
- if ( !(entries = TALLOC_ZERO_ARRAY(p->mem_ctx, LSA_PRIV_ENTRY, num_privs + 1)))
- return NT_STATUS_NO_MEMORY;
-
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle))
return NT_STATUS_INVALID_HANDLE;
@@ -791,7 +793,6 @@ NTSTATUS _lsa_enum_privs(pipes_struct *p, LSA_Q_ENUM_PRIVS *q_u, LSA_R_ENUM_PRIV
if ( !(entries = TALLOC_ZERO_ARRAY(p->mem_ctx, LSA_PRIV_ENTRY, num_privs )) )
return NT_STATUS_NO_MEMORY;
-
for (i = 0; i < num_privs; i++) {
if( i < enum_context) {
init_unistr2(&entries[i].name, NULL, UNI_FLAGS_NONE);
@@ -1143,7 +1144,7 @@ NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u
/* check to see if the pipe_user is root or a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
-
+
get_current_user( &user, p );
if ( user.uid != sec_initial_uid()
&& !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
@@ -1184,7 +1185,7 @@ NTSTATUS _lsa_removeprivs(pipes_struct *p, LSA_Q_REMOVEPRIVS *q_u, LSA_R_REMOVEP
/* check to see if the pipe_user is root or a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
-
+
get_current_user( &user, p );
if ( user.uid != sec_initial_uid()
&& !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
@@ -1261,6 +1262,8 @@ NTSTATUS _lsa_query_secobj(pipes_struct *p, LSA_Q_QUERY_SEC_OBJ *q_u, LSA_R_QUER
return r_u->status;
}
+#if 0 /* AD DC work in ongoing in Samba 4 */
+
/***************************************************************************
***************************************************************************/
@@ -1323,6 +1326,7 @@ NTSTATUS _lsa_query_info2(pipes_struct *p, LSA_Q_QUERY_INFO2 *q_u, LSA_R_QUERY_I
return r_u->status;
}
+#endif /* AD DC work in ongoing in Samba 4 */
/***************************************************************************
***************************************************************************/
@@ -1474,3 +1478,31 @@ NTSTATUS _lsa_enum_acct_rights(pipes_struct *p, LSA_Q_ENUM_ACCT_RIGHTS *q_u, LSA
}
+NTSTATUS _lsa_lookup_priv_value(pipes_struct *p, LSA_Q_LOOKUP_PRIV_VALUE *q_u, LSA_R_LOOKUP_PRIV_VALUE *r_u)
+{
+ struct lsa_info *info = NULL;
+ fstring name;
+ LUID_ATTR priv_luid;
+ SE_PRIV mask;
+
+ /* find the connection policy handle. */
+
+ if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
+ return NT_STATUS_INVALID_HANDLE;
+
+ unistr2_to_ascii(name, &q_u->privname.unistring, sizeof(name));
+
+ DEBUG(10,("_lsa_priv_get_dispname: name = %s\n", name));
+
+ if ( !se_priv_from_name( name, &mask ) )
+ return NT_STATUS_NO_SUCH_PRIVILEGE;
+
+ priv_luid = get_privilege_luid( &mask );
+
+ r_u->luid.low = priv_luid.luid.low;
+ r_u->luid.high = priv_luid.luid.high;
+
+
+ return NT_STATUS_OK;
+}
+
diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c
index bcb131a76c..f6ecd8c706 100644
--- a/source3/rpcclient/cmd_lsarpc.c
+++ b/source3/rpcclient/cmd_lsarpc.c
@@ -176,6 +176,8 @@ static NTSTATUS cmd_lsa_lookup_names(struct cli_state *cli,
sid_type_lookup(types[i]), types[i]);
}
+ cli_lsa_close(cli, mem_ctx, &pol);
+
done:
return result;
}
@@ -233,7 +235,7 @@ static NTSTATUS cmd_lsa_lookup_sids(struct cli_state *cli, TALLOC_CTX *mem_ctx,
/* Print results */
- for (i = 0; i < argc - 1; i++) {
+ for (i = 0; i < (argc - 1); i++) {
fstring sid_str;
sid_to_string(sid_str, &sids[i]);
@@ -242,6 +244,8 @@ static NTSTATUS cmd_lsa_lookup_sids(struct cli_state *cli, TALLOC_CTX *mem_ctx,
names[i] ? names[i] : "*unknown*", types[i]);
}
+ cli_lsa_close(cli, mem_ctx, &pol);
+
done:
return result;
}
@@ -673,7 +677,7 @@ static NTSTATUS cmd_lsa_remove_acct_rights(struct cli_state *cli,
/* Get a privilege value given its name */
-static NTSTATUS cmd_lsa_lookupprivvalue(struct cli_state *cli,
+static NTSTATUS cmd_lsa_lookup_priv_value(struct cli_state *cli,
TALLOC_CTX *mem_ctx, int argc,
const char **argv)
{
@@ -693,7 +697,7 @@ static NTSTATUS cmd_lsa_lookupprivvalue(struct cli_state *cli,
if (!NT_STATUS_IS_OK(result))
goto done;
- result = cli_lsa_lookupprivvalue(cli, mem_ctx, &pol, argv[1], &luid);
+ result = cli_lsa_lookup_priv_value(cli, mem_ctx, &pol, argv[1], &luid);
if (!NT_STATUS_IS_OK(result))
goto done;
@@ -765,7 +769,7 @@ struct cmd_set lsarpc_commands[] = {
#endif
{ "lsaaddacctrights", RPC_RTYPE_NTSTATUS, cmd_lsa_add_acct_rights, NULL, PI_LSARPC, "Add rights to an account", "" },
{ "lsaremoveacctrights", RPC_RTYPE_NTSTATUS, cmd_lsa_remove_acct_rights, NULL, PI_LSARPC, "Remove rights from an account", "" },
- { "lsalookupprivvalue", RPC_RTYPE_NTSTATUS, cmd_lsa_lookupprivvalue, NULL, PI_LSARPC, "Get a privilege value given its name", "" },
+ { "lsalookupprivvalue", RPC_RTYPE_NTSTATUS, cmd_lsa_lookup_priv_value, NULL, PI_LSARPC, "Get a privilege value given its name", "" },
{ "lsaquerysecobj", RPC_RTYPE_NTSTATUS, cmd_lsa_query_secobj, NULL, PI_LSARPC, "Query LSA security object", "" },
{ NULL }