summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2009-09-22 00:16:58 -0700
committerAndrew Tridgell <tridge@samba.org>2009-09-22 17:10:05 -0700
commita971b87a9e71cea5ef785b58c8d4ac3f4e3ea22d (patch)
tree08dce843a45404716aa1b0cdef715326943ff37c /source4
parent69cb91a2eb2c3853663a61c2ed8f38e8fdde0964 (diff)
downloadsamba-a971b87a9e71cea5ef785b58c8d4ac3f4e3ea22d.tar.gz
samba-a971b87a9e71cea5ef785b58c8d4ac3f4e3ea22d.tar.bz2
samba-a971b87a9e71cea5ef785b58c8d4ac3f4e3ea22d.zip
s4-lsa: added support for QuerySecurity on LSA
This follows the sd pattern from samba3
Diffstat (limited to 'source4')
-rw-r--r--source4/rpc_server/lsa/dcesrv_lsa.c87
1 files changed, 85 insertions, 2 deletions
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 13f045fd0f..3d6352af46 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -64,6 +64,65 @@ struct lsa_trusted_domain_state {
struct ldb_dn *trusted_domain_user_dn;
};
+/*
+ this is based on the samba3 function make_lsa_object_sd()
+ It uses the same logic, but with samba4 helper functions
+ */
+static NTSTATUS dcesrv_build_lsa_sd(TALLOC_CTX *mem_ctx,
+ struct security_descriptor **sd,
+ struct dom_sid *sid,
+ uint32_t sid_access)
+{
+ NTSTATUS status;
+ uint32_t rid;
+ struct dom_sid *domain_sid, *domain_admins_sid;
+ const char *domain_admins_sid_str, *sidstr;
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+
+ status = dom_sid_split_rid(tmp_ctx, sid, &domain_sid, &rid);
+ NT_STATUS_NOT_OK_RETURN(status);
+
+ domain_admins_sid = dom_sid_add_rid(tmp_ctx, domain_sid, DOMAIN_RID_ADMINS);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(domain_admins_sid, tmp_ctx);
+
+ domain_admins_sid_str = dom_sid_string(tmp_ctx, domain_admins_sid);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(domain_admins_sid_str, tmp_ctx);
+
+ sidstr = dom_sid_string(tmp_ctx, sid);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sidstr, tmp_ctx);
+
+ *sd = security_descriptor_dacl_create(mem_ctx,
+ 0, sidstr, NULL,
+
+ SID_WORLD,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ SEC_GENERIC_EXECUTE | SEC_GENERIC_READ, 0,
+
+ SID_BUILTIN_ADMINISTRATORS,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ SEC_GENERIC_ALL, 0,
+
+ SID_BUILTIN_ACCOUNT_OPERATORS,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ SEC_GENERIC_ALL, 0,
+
+ domain_admins_sid_str,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ SEC_GENERIC_ALL, 0,
+
+ sidstr,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ sid_access, 0,
+
+ NULL);
+ talloc_free(tmp_ctx);
+
+ NT_STATUS_HAVE_NO_MEMORY(*sd);
+
+ return NT_STATUS_OK;
+}
+
+
static NTSTATUS dcesrv_lsa_EnumAccountRights(struct dcesrv_call_state *dce_call,
TALLOC_CTX *mem_ctx,
struct lsa_EnumAccountRights *r);
@@ -265,9 +324,33 @@ static NTSTATUS dcesrv_lsa_EnumPrivs(struct dcesrv_call_state *dce_call, TALLOC_
lsa_QuerySecObj
*/
static NTSTATUS dcesrv_lsa_QuerySecurity(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
- struct lsa_QuerySecurity *r)
+ struct lsa_QuerySecurity *r)
{
- DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+ struct dcesrv_handle *h;
+ struct security_descriptor *sd;
+ NTSTATUS status;
+ struct dom_sid *sid;
+
+ DCESRV_PULL_HANDLE(h, r->in.handle, DCESRV_HANDLE_ANY);
+
+ sid = dce_call->conn->auth_state.session_info->security_token->user_sid;
+
+ if (h->wire_handle.handle_type == LSA_HANDLE_POLICY) {
+ status = dcesrv_build_lsa_sd(mem_ctx, &sd, sid, 0);
+ } else if (h->wire_handle.handle_type == LSA_HANDLE_ACCOUNT) {
+ status = dcesrv_build_lsa_sd(mem_ctx, &sd, sid,
+ LSA_ACCOUNT_ALL_ACCESS);
+ } else {
+ return NT_STATUS_INVALID_HANDLE;
+ }
+ NT_STATUS_NOT_OK_RETURN(status);
+
+ (*r->out.sdbuf) = talloc(mem_ctx, struct sec_desc_buf);
+ NT_STATUS_HAVE_NO_MEMORY(*r->out.sdbuf);
+
+ (*r->out.sdbuf)->sd = sd;
+
+ return NT_STATUS_OK;
}