summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/include/proto.h2
-rw-r--r--source3/include/smb.h28
-rw-r--r--source3/lib/util.c39
-rw-r--r--source3/param/loadparm.c6
-rw-r--r--source3/pipenetlog.c27
-rw-r--r--source3/smbd/ipc.c2
6 files changed, 100 insertions, 4 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 5bd1745958..4613137d0d 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -178,6 +178,8 @@ char *lp_announce_version(void);
char *lp_netbios_aliases(void);
char *lp_domainsid(void);
char *lp_domain_groups(void);
+char *lp_domain_admin_users(void);
+char *lp_domain_guest_users(void);
BOOL lp_dns_proxy(void);
BOOL lp_wins_support(void);
BOOL lp_wins_proxy(void);
diff --git a/source3/include/smb.h b/source3/include/smb.h
index 7921e77108..0965b6b90b 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -66,6 +66,8 @@ typedef int BOOL;
typedef int smb_shm_offset_t;
#define NULL_OFFSET (smb_shm_offset_t)(0)
+/* limiting size of ipc replies */
+#define REALLOC(ptr,size) Realloc(ptr,MAX((size),4*1024))
/*
Samba needs type definitions for int16, int32, uint16 and uint32.
@@ -298,6 +300,32 @@ typedef fstring string;
#define NETSERVERGETINFO 0x15
#define NETSHAREENUM 0x0f
+/* well-known RIDs - Relative IDs */
+
+/* RIDs - Well-known users ... */
+#define DOMAIN_USER_RID_ADMIN (0x000001F4L)
+#define DOMAIN_USER_RID_GUEST (0x000001F5L)
+
+/* RIDs - well-known groups ... */
+#define DOMAIN_GROUP_RID_ADMINS (0x00000200L)
+#define DOMAIN_GROUP_RID_USERS (0x00000201L)
+#define DOMAIN_GROUP_RID_GUESTS (0x00000202L)
+
+/* RIDs - well-known aliases ... */
+#define DOMAIN_ALIAS_RID_ADMINS (0x00000220L)
+#define DOMAIN_ALIAS_RID_USERS (0x00000221L)
+#define DOMAIN_ALIAS_RID_GUESTS (0x00000222L)
+#define DOMAIN_ALIAS_RID_POWER_USERS (0x00000223L)
+
+#define DOMAIN_ALIAS_RID_ACCOUNT_OPS (0x00000224L)
+#define DOMAIN_ALIAS_RID_SYSTEM_OPS (0x00000225L)
+#define DOMAIN_ALIAS_RID_PRINT_OPS (0x00000226L)
+#define DOMAIN_ALIAS_RID_BACKUP_OPS (0x00000227L)
+
+#define DOMAIN_ALIAS_RID_REPLICATOR (0x00000228L)
+
+
+
/* 32 bit time (sec) since 01jan1970 - cifs6.txt, section 3.5, page 30 */
typedef struct time_info
{
diff --git a/source3/lib/util.c b/source3/lib/util.c
index ec0f9f0efc..96c0774e92 100644
--- a/source3/lib/util.c
+++ b/source3/lib/util.c
@@ -4509,6 +4509,28 @@ char *tab_depth(int depth)
return spaces;
}
+
+/* array lookup of well-known RID aliases. the purpose of these escapes me.. */
+static struct
+{
+ uint32 rid;
+ char *rid_name;
+
+} rid_lookups[] =
+{
+ { DOMAIN_ALIAS_RID_ADMINS , "admins" },
+ { DOMAIN_ALIAS_RID_USERS , "users" },
+ { DOMAIN_ALIAS_RID_GUESTS , "guests" },
+ { DOMAIN_ALIAS_RID_POWER_USERS , "power_users" },
+
+ { DOMAIN_ALIAS_RID_ACCOUNT_OPS , "account_ops" },
+ { DOMAIN_ALIAS_RID_SYSTEM_OPS , "system_ops" },
+ { DOMAIN_ALIAS_RID_PRINT_OPS , "print_ops" },
+ { DOMAIN_ALIAS_RID_BACKUP_OPS , "backup_ops" },
+ { DOMAIN_ALIAS_RID_REPLICATOR , "replicator" },
+ { 0 , NULL }
+};
+
int make_domain_gids(char *gids_str, DOM_GID *gids)
{
char *ptr;
@@ -4523,12 +4545,26 @@ int make_domain_gids(char *gids_str, DOM_GID *gids)
{
/* the entries are of the form GID/ATTR, ATTR being optional.*/
char *attr;
+ uint32 rid = 0;
+ int i;
attr = strchr(s2,'/');
if (attr) *attr++ = 0;
if (!attr || !*attr) attr = "7"; /* default value for attribute is 7 */
- gids[count].gid = atoi(s2);
+ /* look up the RID string and see if we can turn it into a rid number */
+ for (i = 0; rid_lookups[i].rid_name != NULL; i++)
+ {
+ if (strequal(rid_lookups[i].rid_name, s2))
+ {
+ rid = rid_lookups[i].rid;
+ break;
+ }
+ }
+
+ if (rid == 0) rid = atoi(s2);
+
+ gids[count].gid = rid;
gids[count].attr = atoi(attr);
DEBUG(5,("group id: %d attr: %d\n", gids[count].gid, gids[count].attr));
@@ -4536,3 +4572,4 @@ int make_domain_gids(char *gids_str, DOM_GID *gids)
return count;
}
+
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index d0dfe4ace7..a72471c5a9 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -128,6 +128,8 @@ typedef struct
char *szValidChars;
char *szWorkGroup;
char *szDomainController;
+ char *szDomainAdminUsers;
+ char *szDomainGuestUsers;
char *szUsernameMap;
char *szCharacterSet;
char *szLogonScript;
@@ -447,6 +449,8 @@ struct parm_struct
{"domain sid", P_USTRING, P_GLOBAL, &Globals.szDomainSID, NULL},
{"domain groups", P_USTRING, P_GLOBAL, &Globals.szDomainGroups, NULL},
{"domain controller",P_STRING, P_GLOBAL, &Globals.szDomainController,NULL},
+ {"domain admin users",P_STRING, P_GLOBAL, &Globals.szDomainAdminUsers, NULL},
+ {"domain guest users",P_STRING, P_GLOBAL, &Globals.szDomainGuestUsers, NULL},
{"username map", P_STRING, P_GLOBAL, &Globals.szUsernameMap, NULL},
{"character set", P_STRING, P_GLOBAL, &Globals.szCharacterSet, handle_character_set},
{"logon script", P_STRING, P_GLOBAL, &Globals.szLogonScript, NULL},
@@ -865,6 +869,8 @@ FN_GLOBAL_STRING(lp_netbios_aliases,&Globals.szNetbiosAliases)
FN_GLOBAL_STRING(lp_domainsid,&Globals.szDomainSID)
FN_GLOBAL_STRING(lp_domain_groups,&Globals.szDomainGroups)
+FN_GLOBAL_STRING(lp_domain_admin_users,&Globals.szDomainAdminUsers)
+FN_GLOBAL_STRING(lp_domain_guest_users,&Globals.szDomainGuestUsers)
FN_GLOBAL_BOOL(lp_dns_proxy,&Globals.bDNSproxy)
FN_GLOBAL_BOOL(lp_wins_support,&Globals.bWINSsupport)
diff --git a/source3/pipenetlog.c b/source3/pipenetlog.c
index 0563a61591..ad4ad63369 100644
--- a/source3/pipenetlog.c
+++ b/source3/pipenetlog.c
@@ -508,6 +508,7 @@ static void api_lsa_sam_logon( user_struct *vuser,
pstring home_drive;
pstring my_name;
pstring my_workgroup;
+ pstring domain_groups;
pstring dom_sid;
extern pstring myname;
@@ -518,6 +519,9 @@ static void api_lsa_sam_logon( user_struct *vuser,
pstrcpy(samlogon_user, unistr2(q_l.sam_id.auth.id1.uni_user_name.buffer));
+ DEBUG(3,("SAM Logon. Domain:[%s]. User [%s]\n",
+ lp_workgroup(), samlogon_user));
+
/* hack to get standard_sub_basic() to use the sam logon username */
sam_logon_in_ssb = True;
@@ -529,7 +533,28 @@ static void api_lsa_sam_logon( user_struct *vuser,
pstrcpy(home_drive , lp_logon_drive ());
pstrcpy(home_dir , lp_logon_home ());
- num_gids = make_domain_gids(lp_domain_groups(), gids);
+ /* any additional groups this user is in. e.g power users */
+ pstrcpy(domain_groups, lp_domain_groups());
+
+ /* one RID group always added: 512 (Admin); 513 (Users); 514 (Guests) */
+
+ if (user_in_list(samlogon_user, lp_domain_guest_users()))
+ {
+ DEBUG(3,("domain guest access granted\n"));
+ strcat(domain_groups, " 514/7 ");
+ }
+ else if (user_in_list(samlogon_user, lp_domain_admin_users()))
+ {
+ DEBUG(3,("domain admin access granted\n"));
+ strcat(domain_groups, " 512/7 ");
+ }
+ else
+ {
+ DEBUG(3,("domain user access granted\n"));
+ strcat(domain_groups, " 513/7 ");
+ }
+
+ num_gids = make_domain_gids(domain_groups, gids);
sam_logon_in_ssb = False;
diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c
index 4f6c85de9f..efae39889d 100644
--- a/source3/smbd/ipc.c
+++ b/source3/smbd/ipc.c
@@ -52,8 +52,6 @@ extern fstring myworkgroup;
#define ERROR_INVALID_LEVEL 124
#define ERROR_MORE_DATA 234
-#define REALLOC(ptr,size) Realloc(ptr,MAX((size),4*1024))
-
#define ACCESS_READ 0x01
#define ACCESS_WRITE 0x02
#define ACCESS_CREATE 0x04