diff options
-rw-r--r-- | source3/include/rpc_samr.h | 27 | ||||
-rw-r--r-- | source3/libnet/libnet_join.c | 7 | ||||
-rw-r--r-- | source3/rpc_client/cli_samr.c | 4 | ||||
-rw-r--r-- | source3/rpc_parse/parse_samr.c | 6 | ||||
-rw-r--r-- | source3/rpcclient/cmd_samr.c | 11 | ||||
-rw-r--r-- | source3/utils/net_domain.c | 8 | ||||
-rw-r--r-- | source3/utils/net_rpc.c | 20 | ||||
-rw-r--r-- | source3/utils/net_rpc_join.c | 8 |
8 files changed, 71 insertions, 20 deletions
diff --git a/source3/include/rpc_samr.h b/source3/include/rpc_samr.h index 9274e37682..5ddb877b90 100644 --- a/source3/include/rpc_samr.h +++ b/source3/include/rpc_samr.h @@ -145,6 +145,31 @@ SamrTestPrivateFunctionsUser #define SAMR_CHGPASSWD_USER3 0x3F #define SAMR_CONNECT5 0x40 +/* SAMR account creation flags/permissions */ +#define SAMR_USER_GETNAME 0x1 +#define SAMR_USER_GETLOCALE 0x2 +#define SAMR_USER_GETLOCCOM 0x4 +#define SAMR_USER_GETLOGONINFO 0x8 +#define SAMR_USER_GETATTR 0x10 +#define SAMR_USER_SETATTR 0x20 +#define SAMR_USER_CHPASS 0x40 +#define SAMR_USER_SETPASS 0x80 +#define SAMR_USER_GETGROUPS 0x100 +#define SAMR_USER_GETMEMBERSHIP 0x200 +#define SAMR_USER_CHMEMBERSHIP 0x400 +#define SAMR_STANDARD_DELETE 0x10000 +#define SAMR_STANDARD_READCTRL 0x20000 +#define SAMR_STANDARD_WRITEDAC 0x40000 +#define SAMR_STANDARD_WRITEOWNER 0x80000 +#define SAMR_STANDARD_SYNC 0x100000 +#define SAMR_GENERIC_ACCESSSACL 0x800000 +#define SAMR_GENERIC_MAXALLOWED 0x2000000 +#define SAMR_GENERIC_ALL 0x10000000 +#define SAMR_GENERIC_EXECUTE 0x20000000 +#define SAMR_GENERIC_WRITE 0x40000000 +#define SAMR_GENERIC_READ 0x80000000 + + typedef struct logon_hours_info { uint32 max_len; /* normally 1260 bytes */ @@ -1555,7 +1580,7 @@ typedef struct q_samr_create_user_info UNISTR2 uni_name; /* unicode account name */ uint32 acb_info; /* account control info */ - uint32 access_mask; /* 0xe005 00b0 */ + uint32 acct_flags; /* 0xe005 00b0 */ } SAMR_Q_CREATE_USER; diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index a9978ba4b8..538cca7994 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -684,10 +684,15 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, const_acct_name = acct_name; if (r->in.join_flags & WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE) { + uint32 acct_flags = SAMR_GENERIC_READ | SAMR_GENERIC_WRITE | + SAMR_GENERIC_EXECUTE | SAMR_STANDARD_WRITEDAC | + SAMR_STANDARD_DELETE | SAMR_USER_SETPASS | + SAMR_USER_GETATTR | SAMR_USER_SETATTR; + status = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol, acct_name, ACB_WSTRUST, - 0xe005000b, &user_pol, + acct_flags, &user_pol, &user_rid); if (NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) { if (!(r->in.join_flags & diff --git a/source3/rpc_client/cli_samr.c b/source3/rpc_client/cli_samr.c index bf8313816c..7cf8726052 100644 --- a/source3/rpc_client/cli_samr.c +++ b/source3/rpc_client/cli_samr.c @@ -1643,7 +1643,7 @@ NTSTATUS rpccli_samr_lookup_names(struct rpc_pipe_client *cli, TALLOC_CTX *mem_c NTSTATUS rpccli_samr_create_dom_user(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, POLICY_HND *domain_pol, const char *acct_name, - uint32 acb_info, uint32 access_mask, + uint32 acb_info, uint32 acct_flags, POLICY_HND *user_pol, uint32 *rid) { prs_struct qbuf, rbuf; @@ -1658,7 +1658,7 @@ NTSTATUS rpccli_samr_create_dom_user(struct rpc_pipe_client *cli, TALLOC_CTX *me /* Marshall data and send request */ - init_samr_q_create_user(&q, domain_pol, acct_name, acb_info, access_mask); + init_samr_q_create_user(&q, domain_pol, acct_name, acb_info, acct_flags); CLI_DO_RPC(cli, mem_ctx, PI_SAMR, SAMR_CREATE_USER, q, r, diff --git a/source3/rpc_parse/parse_samr.c b/source3/rpc_parse/parse_samr.c index 614a80dd6f..23add3dffd 100644 --- a/source3/rpc_parse/parse_samr.c +++ b/source3/rpc_parse/parse_samr.c @@ -5172,7 +5172,7 @@ reads or writes a structure. void init_samr_q_create_user(SAMR_Q_CREATE_USER * q_u, POLICY_HND *pol, const char *name, - uint32 acb_info, uint32 access_mask) + uint32 acb_info, uint32 acct_flags) { DEBUG(5, ("samr_init_samr_q_create_user\n")); @@ -5182,7 +5182,7 @@ void init_samr_q_create_user(SAMR_Q_CREATE_USER * q_u, init_uni_hdr(&q_u->hdr_name, &q_u->uni_name); q_u->acb_info = acb_info; - q_u->access_mask = access_mask; + q_u->acct_flags = acct_flags; } /******************************************************************* @@ -5213,7 +5213,7 @@ bool samr_io_q_create_user(const char *desc, SAMR_Q_CREATE_USER * q_u, return False; if(!prs_uint32("acb_info ", ps, depth, &q_u->acb_info)) return False; - if(!prs_uint32("access_mask", ps, depth, &q_u->access_mask)) + if(!prs_uint32("acct_flags", ps, depth, &q_u->acct_flags)) return False; return True; diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c index 171027fa49..5b42c6bc0e 100644 --- a/source3/rpcclient/cmd_samr.c +++ b/source3/rpcclient/cmd_samr.c @@ -1450,7 +1450,7 @@ static NTSTATUS cmd_samr_create_dom_user(struct rpc_pipe_client *cli, NTSTATUS result = NT_STATUS_UNSUCCESSFUL; const char *acct_name; uint32 acb_info; - uint32 user_rid; + uint32 acct_flags, user_rid; uint32 access_mask = MAXIMUM_ALLOWED_ACCESS; if ((argc < 2) || (argc > 3)) { @@ -1459,7 +1459,7 @@ static NTSTATUS cmd_samr_create_dom_user(struct rpc_pipe_client *cli, } acct_name = argv[1]; - + if (argc > 2) sscanf(argv[2], "%x", &access_mask); @@ -1483,10 +1483,13 @@ static NTSTATUS cmd_samr_create_dom_user(struct rpc_pipe_client *cli, /* Create domain user */ acb_info = ACB_NORMAL; - access_mask = 0xe005000b; + acct_flags = SAMR_GENERIC_READ | SAMR_GENERIC_WRITE | + SAMR_GENERIC_EXECUTE | SAMR_STANDARD_WRITEDAC | + SAMR_STANDARD_DELETE | SAMR_USER_SETPASS | + SAMR_USER_GETATTR | SAMR_USER_SETATTR; result = rpccli_samr_create_dom_user(cli, mem_ctx, &domain_pol, - acct_name, acb_info, access_mask, + acct_name, acb_info, acct_flags, &user_pol, &user_rid); if (!NT_STATUS_IS_OK(result)) diff --git a/source3/utils/net_domain.c b/source3/utils/net_domain.c index da5e61caf0..a98f090e62 100644 --- a/source3/utils/net_domain.c +++ b/source3/utils/net_domain.c @@ -208,6 +208,7 @@ NTSTATUS netdom_join_domain( TALLOC_CTX *mem_ctx, struct cli_state *cli, uint32 num_rids, *name_types, *user_rids; uint32 flags = 0x3e8; uint32 acb_info = ACB_WSTRUST; + uint32 acct_flags; uint32 fields_present; uchar pwbuf[532]; SAM_USERINFO_CTR ctr; @@ -245,8 +246,13 @@ NTSTATUS netdom_join_domain( TALLOC_CTX *mem_ctx, struct cli_state *cli, /* Don't try to set any acb_info flags other than ACB_WSTRUST */ + acct_flags = SAMR_GENERIC_READ | SAMR_GENERIC_WRITE | + SAMR_GENERIC_EXECUTE | SAMR_STANDARD_WRITEDAC | + SAMR_STANDARD_DELETE | SAMR_USER_SETPASS | SAMR_USER_GETATTR | + SAMR_USER_SETATTR; + DEBUG(10, ("Creating account with flags: %d\n",acct_flags)); status = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol, - acct_name, acb_info, 0xe005000b, &user_pol, &user_rid); + acct_name, acb_info, acct_flags, &user_pol, &user_rid); if ( !NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index 677924649c..b08a93627d 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -588,7 +588,7 @@ static NTSTATUS rpc_user_add_internals(const DOM_SID *domain_sid, NTSTATUS result = NT_STATUS_UNSUCCESSFUL; const char *acct_name; uint32 acb_info; - uint32 access_mask, user_rid; + uint32 acct_flags, user_rid; if (argc < 1) { d_printf("User must be specified\n"); @@ -618,10 +618,13 @@ static NTSTATUS rpc_user_add_internals(const DOM_SID *domain_sid, /* Create domain user */ acb_info = ACB_NORMAL; - access_mask = 0xe005000b; + acct_flags = SAMR_GENERIC_READ | SAMR_GENERIC_WRITE | + SAMR_GENERIC_EXECUTE | SAMR_STANDARD_WRITEDAC | + SAMR_STANDARD_DELETE | SAMR_USER_SETPASS | SAMR_USER_GETATTR | + SAMR_USER_SETATTR; result = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol, - acct_name, acb_info, access_mask, + acct_name, acb_info, acct_flags, &user_pol, &user_rid); if (!NT_STATUS_IS_OK(result)) { goto done; @@ -5341,7 +5344,8 @@ static NTSTATUS rpc_trustdom_add_internals(const DOM_SID *domain_sid, NTSTATUS result = NT_STATUS_UNSUCCESSFUL; char *acct_name; uint32 acb_info; - uint32 unknown, user_rid; + uint32 acct_flags=0; + uint32 user_rid; if (argc != 2) { d_printf("Usage: net rpc trustdom add <domain_name> <pw>\n"); @@ -5375,11 +5379,13 @@ static NTSTATUS rpc_trustdom_add_internals(const DOM_SID *domain_sid, /* Create trusting domain's account */ acb_info = ACB_NORMAL; - unknown = 0xe00500b0; /* No idea what this is - a permission mask? - mimir: yes, most probably it is */ + acct_flags = SAMR_GENERIC_READ | SAMR_GENERIC_WRITE | + SAMR_GENERIC_EXECUTE | SAMR_STANDARD_WRITEDAC | + SAMR_STANDARD_DELETE | SAMR_USER_SETPASS | SAMR_USER_GETATTR | + SAMR_USER_SETATTR; result = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol, - acct_name, acb_info, unknown, + acct_name, acb_info, acct_flags, &user_pol, &user_rid); if (!NT_STATUS_IS_OK(result)) { goto done; diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 6e37f3c84c..de8ea743b4 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -160,6 +160,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) uint32 flags = 0x3e8; char *acct_name; const char *const_acct_name; + uint32 acct_flags=0; /* check what type of join */ if (argc >= 0) { @@ -249,9 +250,14 @@ int net_rpc_join_newstyle(int argc, const char **argv) strlower_m(acct_name); const_acct_name = acct_name; + acct_flags = SAMR_GENERIC_READ | SAMR_GENERIC_WRITE | + SAMR_GENERIC_EXECUTE | SAMR_STANDARD_WRITEDAC | + SAMR_STANDARD_DELETE | SAMR_USER_SETPASS | SAMR_USER_GETATTR | + SAMR_USER_SETATTR; + DEBUG(10, ("Creating account with flags: %d\n",acct_flags)); result = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol, acct_name, acb_info, - 0xe005000b, &user_pol, + acct_flags, &user_pol, &user_rid); if (!NT_STATUS_IS_OK(result) && |