diff options
| -rw-r--r-- | source3/groupdb/mapping.c | 557 | ||||
| -rw-r--r-- | source3/include/mapping.h | 28 | ||||
| -rw-r--r-- | source3/include/passdb.h | 22 | ||||
| -rw-r--r-- | source3/include/privileges.h | 25 | ||||
| -rw-r--r-- | source3/passdb/passdb.c | 8 | ||||
| -rw-r--r-- | source3/passdb/pdb_interface.c | 34 | ||||
| -rw-r--r-- | source3/passdb/pdb_ldap.c | 15 | ||||
| -rw-r--r-- | source3/rpc_server/srv_lsa_nt.c | 58 | ||||
| -rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 56 | ||||
| -rw-r--r-- | source3/rpc_server/srv_util.c | 9 | ||||
| -rw-r--r-- | source3/sam/idmap_util.c | 2 | ||||
| -rw-r--r-- | source3/smbd/lanman.c | 2 | ||||
| -rw-r--r-- | source3/utils/net.c | 2 | ||||
| -rw-r--r-- | source3/utils/net_groupmap.c | 39 | ||||
| -rw-r--r-- | source3/utils/net_rpc_samsync.c | 14 | ||||
| -rw-r--r-- | source3/utils/pdbedit.c | 2 |
16 files changed, 184 insertions, 689 deletions
diff --git a/source3/groupdb/mapping.c b/source3/groupdb/mapping.c index e13730b141..ef243ecfc0 100644 --- a/source3/groupdb/mapping.c +++ b/source3/groupdb/mapping.c @@ -37,69 +37,7 @@ PRIVS privs[] = { {SE_PRIV_PRINT_OPERATOR, "SaPrintOp", "Add or remove printers - Samba" }, {SE_PRIV_ALL, "SaAllPrivs", "all privileges" } }; -/* -PRIVS privs[] = { - { 2, "SeCreateTokenPrivilege" }, - { 3, "SeAssignPrimaryTokenPrivilege" }, - { 4, "SeLockMemoryPrivilege" }, - { 5, "SeIncreaseQuotaPrivilege" }, - { 6, "SeMachineAccountPrivilege" }, - { 7, "SeTcbPrivilege" }, - { 8, "SeSecurityPrivilege" }, - { 9, "SeTakeOwnershipPrivilege" }, - { 10, "SeLoadDriverPrivilege" }, - { 11, "SeSystemProfilePrivilege" }, - { 12, "SeSystemtimePrivilege" }, - { 13, "SeProfileSingleProcessPrivilege" }, - { 14, "SeIncreaseBasePriorityPrivilege" }, - { 15, "SeCreatePagefilePrivilege" }, - { 16, "SeCreatePermanentPrivilege" }, - { 17, "SeBackupPrivilege" }, - { 18, "SeRestorePrivilege" }, - { 19, "SeShutdownPrivilege" }, - { 20, "SeDebugPrivilege" }, - { 21, "SeAuditPrivilege" }, - { 22, "SeSystemEnvironmentPrivilege" }, - { 23, "SeChangeNotifyPrivilege" }, - { 24, "SeRemoteShutdownPrivilege" }, - { 25, "SeUndockPrivilege" }, - { 26, "SeSyncAgentPrivilege" }, - { 27, "SeEnableDelegationPrivilege" }, -}; -*/ - - /* - * Those are not really privileges like the other ones. - * They are handled in a special case and called - * system privileges. - * - * SeNetworkLogonRight - * SeUnsolicitedInputPrivilege - * SeBatchLogonRight - * SeServiceLogonRight - * SeInteractiveLogonRight - * SeDenyInteractiveLogonRight - * SeDenyNetworkLogonRight - * SeDenyBatchLogonRight - * SeDenyBatchLogonRight - */ -#if 0 -/**************************************************************************** -check if the user has the required privilege. -****************************************************************************/ -static BOOL se_priv_access_check(NT_USER_TOKEN *token, uint32 privilege) -{ - /* no token, no privilege */ - if (token==NULL) - return False; - - if ((token->privilege & privilege)==privilege) - return True; - - return False; -} -#endif /**************************************************************************** dump the mapping group mapping to a text file @@ -151,57 +89,35 @@ static BOOL default_group_mapping(void) fstring str_admins; fstring str_users; fstring str_guests; - LUID_ATTR set; - - PRIVILEGE_SET privilege_none; - PRIVILEGE_SET privilege_all; - PRIVILEGE_SET privilege_print_op; - - init_privilege(&privilege_none); - init_privilege(&privilege_all); - init_privilege(&privilege_print_op); - - set.attr=0; - set.luid.high=0; - set.luid.low=SE_PRIV_PRINT_OPERATOR; - add_privilege(&privilege_print_op, set); - - add_all_privilege(&privilege_all); /* Add the Wellknown groups */ - add_initial_entry(-1, "S-1-5-32-544", SID_NAME_WKN_GRP, "Administrators", "", privilege_all, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); - add_initial_entry(-1, "S-1-5-32-545", SID_NAME_WKN_GRP, "Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); - add_initial_entry(-1, "S-1-5-32-546", SID_NAME_WKN_GRP, "Guests", "", privilege_none, PR_ACCESS_FROM_NETWORK); - add_initial_entry(-1, "S-1-5-32-547", SID_NAME_WKN_GRP, "Power Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); - - add_initial_entry(-1, "S-1-5-32-548", SID_NAME_WKN_GRP, "Account Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); - add_initial_entry(-1, "S-1-5-32-549", SID_NAME_WKN_GRP, "System Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); - add_initial_entry(-1, "S-1-5-32-550", SID_NAME_WKN_GRP, "Print Operators", "", privilege_print_op, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); - add_initial_entry(-1, "S-1-5-32-551", SID_NAME_WKN_GRP, "Backup Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); - - add_initial_entry(-1, "S-1-5-32-552", SID_NAME_WKN_GRP, "Replicators", "", privilege_none, PR_ACCESS_FROM_NETWORK); + add_initial_entry(-1, "S-1-5-32-544", SID_NAME_WKN_GRP, "Administrators", ""); + add_initial_entry(-1, "S-1-5-32-545", SID_NAME_WKN_GRP, "Users", ""); + add_initial_entry(-1, "S-1-5-32-546", SID_NAME_WKN_GRP, "Guests", ""); + add_initial_entry(-1, "S-1-5-32-547", SID_NAME_WKN_GRP, "Power Users", ""); + add_initial_entry(-1, "S-1-5-32-548", SID_NAME_WKN_GRP, "Account Operators", ""); + add_initial_entry(-1, "S-1-5-32-549", SID_NAME_WKN_GRP, "System Operators", ""); + add_initial_entry(-1, "S-1-5-32-550", SID_NAME_WKN_GRP, "Print Operators", ""); + add_initial_entry(-1, "S-1-5-32-551", SID_NAME_WKN_GRP, "Backup Operators", ""); + add_initial_entry(-1, "S-1-5-32-552", SID_NAME_WKN_GRP, "Replicators", ""); /* Add the defaults domain groups */ sid_copy(&sid_admins, get_global_sam_sid()); sid_append_rid(&sid_admins, DOMAIN_GROUP_RID_ADMINS); sid_to_string(str_admins, &sid_admins); - add_initial_entry(-1, str_admins, SID_NAME_DOM_GRP, "Domain Admins", "", privilege_all, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + add_initial_entry(-1, str_admins, SID_NAME_DOM_GRP, "Domain Admins", ""); sid_copy(&sid_users, get_global_sam_sid()); sid_append_rid(&sid_users, DOMAIN_GROUP_RID_USERS); sid_to_string(str_users, &sid_users); - add_initial_entry(-1, str_users, SID_NAME_DOM_GRP, "Domain Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY); + add_initial_entry(-1, str_users, SID_NAME_DOM_GRP, "Domain Users", ""); sid_copy(&sid_guests, get_global_sam_sid()); sid_append_rid(&sid_guests, DOMAIN_GROUP_RID_GUESTS); sid_to_string(str_guests, &sid_guests); - add_initial_entry(-1, str_guests, SID_NAME_DOM_GRP, "Domain Guests", "", privilege_none, PR_ACCESS_FROM_NETWORK); - - free_privilege(&privilege_none); - free_privilege(&privilege_all); - free_privilege(&privilege_print_op); + add_initial_entry(-1, str_guests, SID_NAME_DOM_GRP, "Domain Guests", ""); return True; } @@ -259,8 +175,6 @@ static BOOL add_mapping_entry(GROUP_MAP *map, int flag) pstring key, buf; fstring string_sid=""; int len; - int i; - PRIVILEGE_SET *set; if(!init_group_mapping()) { DEBUG(0,("failed to initialize group mapping")); @@ -269,16 +183,8 @@ static BOOL add_mapping_entry(GROUP_MAP *map, int flag) sid_to_string(string_sid, &map->sid); - len = tdb_pack(buf, sizeof(buf), "ddffd", - map->gid, map->sid_name_use, map->nt_name, map->comment, map->systemaccount); - - /* write the privilege list in the TDB database */ - - set=&map->priv_set; - len += tdb_pack(buf+len, sizeof(buf)-len, "d", set->count); - for (i=0; i<set->count; i++) - len += tdb_pack(buf+len, sizeof(buf)-len, "ddd", - set->set[i].luid.low, set->set[i].luid.high, set->set[i].attr); + len = tdb_pack(buf, sizeof(buf), "ddff", + map->gid, map->sid_name_use, map->nt_name, map->comment); if (len > sizeof(buf)) return False; @@ -297,8 +203,7 @@ static BOOL add_mapping_entry(GROUP_MAP *map, int flag) /**************************************************************************** initialise first time the mapping list ****************************************************************************/ -BOOL add_initial_entry(gid_t gid, const char *sid, enum SID_NAME_USE sid_name_use, - const char *nt_name, const char *comment, PRIVILEGE_SET priv_set, uint32 systemaccount) +BOOL add_initial_entry(gid_t gid, const char *sid, enum SID_NAME_USE sid_name_use, const char *nt_name, const char *comment) { GROUP_MAP map; @@ -316,10 +221,6 @@ BOOL add_initial_entry(gid_t gid, const char *sid, enum SID_NAME_USE sid_name_us map.sid_name_use=sid_name_use; fstrcpy(map.nt_name, nt_name); fstrcpy(map.comment, comment); - map.systemaccount=systemaccount; - - map.priv_set.count=priv_set.count; - map.priv_set.set=priv_set.set; pdb_add_group_mapping_entry(&map); @@ -327,196 +228,15 @@ BOOL add_initial_entry(gid_t gid, const char *sid, enum SID_NAME_USE sid_name_us } /**************************************************************************** -initialise a privilege list -****************************************************************************/ -void init_privilege(PRIVILEGE_SET *priv_set) -{ - priv_set->count=0; - priv_set->control=0; - priv_set->set=NULL; -} - -/**************************************************************************** -free a privilege list -****************************************************************************/ -BOOL free_privilege(PRIVILEGE_SET *priv_set) -{ - if (priv_set->count==0) { - DEBUG(100,("free_privilege: count=0, nothing to clear ?\n")); - return False; - } - - if (priv_set->set==NULL) { - DEBUG(0,("free_privilege: list ptr is NULL, very strange !\n")); - return False; - } - - safe_free(priv_set->set); - priv_set->count=0; - priv_set->control=0; - priv_set->set=NULL; - - return True; -} - -/**************************************************************************** -add a privilege to a privilege array -****************************************************************************/ -BOOL add_privilege(PRIVILEGE_SET *priv_set, LUID_ATTR set) -{ - LUID_ATTR *new_set; - - /* check if the privilege is not already in the list */ - if (check_priv_in_privilege(priv_set, set)) - return False; - - /* we can allocate memory to add the new privilege */ - - new_set=(LUID_ATTR *)Realloc(priv_set->set, (priv_set->count+1)*(sizeof(LUID_ATTR))); - if (new_set==NULL) { - DEBUG(0,("add_privilege: could not Realloc memory to add a new privilege\n")); - return False; - } - - new_set[priv_set->count].luid.high=set.luid.high; - new_set[priv_set->count].luid.low=set.luid.low; - new_set[priv_set->count].attr=set.attr; - - priv_set->count++; - priv_set->set=new_set; - - return True; -} - -/**************************************************************************** -add all the privileges to a privilege array -****************************************************************************/ -BOOL add_all_privilege(PRIVILEGE_SET *priv_set) -{ - LUID_ATTR set; - - set.attr=0; - set.luid.high=0; - - set.luid.low=SE_PRIV_ADD_USERS; - add_privilege(priv_set, set); - - set.luid.low=SE_PRIV_ADD_MACHINES; - add_privilege(priv_set, set); - - set.luid.low=SE_PRIV_PRINT_OPERATOR; - add_privilege(priv_set, set); - - return True; -} - -/**************************************************************************** -check if the privilege list is empty -****************************************************************************/ -BOOL check_empty_privilege(PRIVILEGE_SET *priv_set) -{ - return (priv_set->count == 0); -} - -/**************************************************************************** -check if the privilege is in the privilege list -****************************************************************************/ -BOOL check_priv_in_privilege(PRIVILEGE_SET *priv_set, LUID_ATTR set) -{ - int i; - - /* if the list is empty, obviously we can't have it */ - if (check_empty_privilege(priv_set)) - return False; - - for (i=0; i<priv_set->count; i++) { - LUID_ATTR *cur_set; - - cur_set=&priv_set->set[i]; - /* check only the low and high part. Checking the attr field has no meaning */ - if( (cur_set->luid.low==set.luid.low) && (cur_set->luid.high==set.luid.high) ) - return True; - } - - return False; -} - -/**************************************************************************** -remove a privilege from a privilege array -****************************************************************************/ -BOOL remove_privilege(PRIVILEGE_SET *priv_set, LUID_ATTR set) -{ - LUID_ATTR *new_set; - LUID_ATTR *old_set; - int i,j; - - /* check if the privilege is in the list */ - if (!check_priv_in_privilege(priv_set, set)) - return False; - - /* special case if it's the only privilege in the list */ - if (priv_set->count==1) { - free_privilege(priv_set); - init_privilege(priv_set); - - return True; - } - - /* - * the privilege is there, create a new list, - * and copy the other privileges - */ - - old_set=priv_set->set; - - new_set=(LUID_ATTR *)malloc((priv_set->count-1)*(sizeof(LUID_ATTR))); - if (new_set==NULL) { - DEBUG(0,("remove_privilege: could not malloc memory for new privilege list\n")); - return False; - } - - for (i=0, j=0; i<priv_set->count; i++) { - if ((old_set[i].luid.low==set.luid.low) && - (old_set[i].luid.high==set.luid.high)) { - continue; - } - - new_set[j].luid.low=old_set[i].luid.low; - new_set[j].luid.high=old_set[i].luid.high; - new_set[j].attr=old_set[i].attr; - - j++; - } - - if (j!=priv_set->count-1) { - DEBUG(0,("remove_privilege: mismatch ! difference is not -1\n")); - DEBUGADD(0,("old count:%d, new count:%d\n", priv_set->count, j)); - safe_free(new_set); - return False; - } - - /* ok everything is fine */ - - priv_set->count--; - priv_set->set=new_set; - - safe_free(old_set); - - return True; -} - -/**************************************************************************** Return the sid and the type of the unix group. ****************************************************************************/ -static BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv) +static BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map) { TDB_DATA kbuf, dbuf; pstring key; fstring string_sid; int ret; - int i; - PRIVILEGE_SET *set; if(!init_group_mapping()) { DEBUG(0,("failed to initialize group mapping")); @@ -535,34 +255,10 @@ static BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv) if (!dbuf.dptr) return False; - ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd", - &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->systemaccount); - - set=&map->priv_set; - init_privilege(set); - ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &set->count); - - DEBUG(10,("get_group_map_from_sid: %d privileges\n", map->priv_set.count)); - - set->set = NULL; - if (set->count) { - set->set=(LUID_ATTR *)smb_xmalloc(set->count*sizeof(LUID_ATTR)); - } - - for (i=0; i<set->count; i++) - ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "ddd", - &(set->set[i].luid.low), &(set->set[i].luid.high), &(set->set[i].attr)); + ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff", + &map->gid, &map->sid_name_use, &map->nt_name, &map->comment); SAFE_FREE(dbuf.dptr); - if (ret != dbuf.dsize) { - DEBUG(0,("get_group_map_from_sid: group mapping TDB corrupted ?\n")); - free_privilege(set); - return False; - } - - /* we don't want the privileges */ - if (with_priv==MAPPING_WITHOUT_PRIV) - free_privilege(set); sid_copy(&map->sid, &sid); @@ -573,13 +269,11 @@ static BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv) Return the sid and the type of the unix group. ****************************************************************************/ -static BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map, BOOL with_priv) +static BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map) { TDB_DATA kbuf, dbuf, newkey; fstring string_sid; int ret; - int i; - PRIVILEGE_SET *set; if(!init_group_mapping()) { DEBUG(0,("failed to initialize group mapping")); @@ -602,34 +296,15 @@ static BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map, BOOL with_priv) string_to_sid(&map->sid, string_sid); - ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd", - &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->systemaccount); - - set=&map->priv_set; - ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &set->count); - set->set = NULL; - if (set->count) { - set->set=(LUID_ATTR *)smb_xmalloc(set->count*sizeof(LUID_ATTR)); - } - - for (i=0; i<set->count; i++) - ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "ddd", - &(set->set[i].luid.low), &(set->set[i].luid.high), &(set->set[i].attr)); + ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff", + &map->gid, &map->sid_name_use, &map->nt_name, &map->comment); SAFE_FREE(dbuf.dptr); - if (ret != dbuf.dsize){ - free_privilege(set); - continue; - } if (gid==map->gid) { - if (!with_priv) - free_privilege(&map->priv_set); SAFE_FREE(kbuf.dptr); return True; } - - free_privilege(set); } return False; @@ -639,13 +314,11 @@ static BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map, BOOL with_priv) Return the sid and the type of the unix group. ****************************************************************************/ -static BOOL get_group_map_from_ntname(char *name, GROUP_MAP *map, BOOL with_priv) +static BOOL get_group_map_from_ntname(const char *name, GROUP_MAP *map) { TDB_DATA kbuf, dbuf, newkey; fstring string_sid; int ret; - int i; - PRIVILEGE_SET *set; if(!init_group_mapping()) { DEBUG(0,("get_group_map_from_ntname:failed to initialize group mapping")); @@ -668,36 +341,15 @@ static BOOL get_group_map_from_ntname(char *name, GROUP_MAP *map, BOOL with_priv string_to_sid(&map->sid, string_sid); - ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd", - &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->systemaccount); - - set=&map->priv_set; - ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &set->count); - - set->set=(LUID_ATTR *)malloc(set->count*sizeof(LUID_ATTR)); - if (set->set==NULL) { - DEBUG(0,("get_group_map_from_ntname: could not allocate memory for privileges\n")); - return False; - } - - for (i=0; i<set->count; i++) - ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "ddd", - &(set->set[i].luid.low), &(set->set[i].luid.high), &(set->set[i].attr)); + ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff", + &map->gid, &map->sid_name_use, &map->nt_name, &map->comment); SAFE_FREE(dbuf.dptr); - if (ret != dbuf.dsize) { - free_privilege(set); - continue; - } if (StrCaseCmp(name, map->nt_name)==0) { - if (!with_priv) - free_privilege(&map->priv_set); SAFE_FREE(kbuf.dptr); return True; } - - free_privilege(set); } return False; @@ -743,7 +395,7 @@ static BOOL group_map_remove(DOM_SID sid) ****************************************************************************/ static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, - int *num_entries, BOOL unix_only, BOOL with_priv) + int *num_entries, BOOL unix_only) { TDB_DATA kbuf, dbuf, newkey; fstring string_sid; @@ -752,8 +404,6 @@ static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, GROUP_MAP *mapt; int ret; int entries=0; - int i; - PRIVILEGE_SET *set; if(!init_group_mapping()) { DEBUG(0,("failed to initialize group mapping")); @@ -776,43 +426,19 @@ static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX)); - ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd", - &map.gid, &map.sid_name_use, &map.nt_name, &map.comment, &map.systemaccount); - - set=&map.priv_set; - init_privilege(set); - - ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &set->count); - - if (set->count!=0) { - set->set=(LUID_ATTR *)malloc(set->count*sizeof(LUID_ATTR)); - if (set->set==NULL) { - DEBUG(0,("enum_group_mapping: could not allocate memory for privileges\n")); - return False; - } - } - - for (i=0; i<set->count; i++) - ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "ddd", - &(set->set[i].luid.low), &(set->set[i].luid.high), &(set->set[i].attr)); + ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff", + &map.gid, &map.sid_name_use, &map.nt_name, &map.comment); SAFE_FREE(dbuf.dptr); - if (ret != dbuf.dsize) { - DEBUG(11,("enum_group_mapping: error in memory size\n")); - free_privilege(set); - continue; - } /* list only the type or everything if UNKNOWN */ if (sid_name_use!=SID_NAME_UNKNOWN && sid_name_use!=map.sid_name_use) { DEBUG(11,("enum_group_mapping: group %s is not of the requested type\n", map.nt_name)); - free_privilege(set); continue; } if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) { DEBUG(11,("enum_group_mapping: group %s is non mapped\n", map.nt_name)); - free_privilege(set); continue; } @@ -825,7 +451,6 @@ static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, if (!mapt) { DEBUG(0,("enum_group_mapping: Unable to enlarge group map!\n")); SAFE_FREE(*rmap); - free_privilege(set); return False; } else @@ -836,12 +461,6 @@ static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, mapt[entries].sid_name_use = map.sid_name_use; fstrcpy(mapt[entries].nt_name, map.nt_name); fstrcpy(mapt[entries].comment, map.comment); - mapt[entries].systemaccount=map.systemaccount; - mapt[entries].priv_set.count=set->count; - mapt[entries].priv_set.control=set->control; - mapt[entries].priv_set.set=set->set; - if (!with_priv) - free_privilege(&(mapt[entries].priv_set)); entries++; @@ -852,64 +471,6 @@ static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, return True; } - -/**************************************************************************** -convert a privilege string to a privilege array -****************************************************************************/ -void convert_priv_from_text(PRIVILEGE_SET *se_priv, char *privilege) -{ - pstring tok; - const char *p = privilege; - int i; - LUID_ATTR set; - - /* By default no privilege */ - init_privilege(se_priv); - - if (privilege==NULL) - return; - - while(next_token(&p, tok, " ", sizeof(tok)) ) { - for (i=0; i<=PRIV_ALL_INDEX; i++) { - if (StrCaseCmp(privs[i].priv, tok)==0) { - set.attr=0; - set.luid.high=0; - set.luid.low=privs[i].se_priv; - add_privilege(se_priv, set); - } - } - } -} - -/**************************************************************************** -convert a privilege array to a privilege string -****************************************************************************/ -void convert_priv_to_text(PRIVILEGE_SET *se_priv, char *privilege) -{ - int i,j; - - if (privilege==NULL) - return; - - ZERO_STRUCTP(privilege); - - if (check_empty_privilege(se_priv)) { - fstrcat(privilege, "No privilege"); - return; - } - - for(i=0; i<se_priv->count; i++) { - j=1; - while (privs[j].se_priv!=se_priv->set[i].luid.low && j<=PRIV_ALL_INDEX) { - j++; - } - - fstrcat(privilege, privs[j].priv); - fstrcat(privilege, " "); - } -} - - /* * * High level functions @@ -922,7 +483,7 @@ void convert_priv_to_text(PRIVILEGE_SET *se_priv, char *privilege) /* get a domain group from it's SID */ -BOOL get_domain_group_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv) +BOOL get_domain_group_from_sid(DOM_SID sid, GROUP_MAP *map) { struct group *grp; @@ -934,23 +495,19 @@ BOOL get_domain_group_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv) DEBUG(10, ("get_domain_group_from_sid\n")); /* if the group is NOT in the database, it CAN NOT be a domain group */ - if(!pdb_getgrsid(map, sid, with_priv)) + if(!pdb_getgrsid(map, sid)) return False; DEBUG(10, ("get_domain_group_from_sid: SID found in the TDB\n")); /* if it's not a domain group, continue */ if (map->sid_name_use!=SID_NAME_DOM_GRP) { - if (with_priv) - free_privilege(&map->priv_set); return False; } DEBUG(10, ("get_domain_group_from_sid: SID is a domain group\n")); if (map->gid==-1) { - if (with_priv) - free_privilege(&map->priv_set); return False; } @@ -958,8 +515,6 @@ BOOL get_domain_group_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv) if ( (grp=getgrgid(map->gid)) == NULL) { DEBUG(10, ("get_domain_group_from_sid: gid DOESN'T exist in UNIX security\n")); - if (with_priv) - free_privilege(&map->priv_set); return False; } @@ -971,7 +526,7 @@ BOOL get_domain_group_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv) /* get a local (alias) group from it's SID */ -BOOL get_local_group_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv) +BOOL get_local_group_from_sid(DOM_SID sid, GROUP_MAP *map) { struct group *grp; @@ -981,22 +536,16 @@ BOOL get_local_group_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv) } /* The group is in the mapping table */ - if(pdb_getgrsid(map, sid, with_priv)) { + if(pdb_getgrsid(map, sid)) { if (map->sid_name_use!=SID_NAME_ALIAS) { - if (with_priv) - free_privilege(&map->priv_set); return False; } if (map->gid==-1) { - if (with_priv) - free_privilege(&map->priv_set); return False; } if ( (grp=getgrgid(map->gid)) == NULL) { - if (with_priv) - free_privilege(&map->priv_set); return False; } } else { @@ -1011,13 +560,10 @@ BOOL get_local_group_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv) return False; map->sid_name_use=SID_NAME_ALIAS; - map->systemaccount=PR_ACCESS_FROM_NETWORK; fstrcpy(map->nt_name, grp->gr_name); fstrcpy(map->comment, "Local Unix Group"); - init_privilege(&map->priv_set); - sid_copy(&map->sid, &sid); } @@ -1026,7 +572,7 @@ BOOL get_local_group_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv) /* get a builtin group from it's SID */ -BOOL get_builtin_group_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv) +BOOL get_builtin_group_from_sid(DOM_SID sid, GROUP_MAP *map) { struct group *grp; @@ -1035,24 +581,18 @@ BOOL get_builtin_group_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv) return(False); } - if(!pdb_getgrsid(map, sid, with_priv)) + if(!pdb_getgrsid(map, sid)) return False; if (map->sid_name_use!=SID_NAME_WKN_GRP) { - if (with_priv) - free_privilege(&map->priv_set); return False; } if (map->gid==-1) { - if (with_priv) - free_privilege(&map->priv_set); return False; } if ( (grp=getgrgid(map->gid)) == NULL) { - if (with_priv) - free_privilege(&map->priv_set); return False; } @@ -1064,7 +604,7 @@ BOOL get_builtin_group_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv) /**************************************************************************** Returns a GROUP_MAP struct based on the gid. ****************************************************************************/ -BOOL get_group_from_gid(gid_t gid, GROUP_MAP *map, BOOL with_priv) +BOOL get_group_from_gid(gid_t gid, GROUP_MAP *map) { struct group *grp; @@ -1079,11 +619,9 @@ BOOL get_group_from_gid(gid_t gid, GROUP_MAP *map, BOOL with_priv) /* * make a group map from scratch if doesn't exist. */ - if (!pdb_getgrgid(map, gid, with_priv)) { + if (!pdb_getgrgid(map, gid)) { map->gid=gid; map->sid_name_use=SID_NAME_ALIAS; - map->systemaccount=PR_ACCESS_FROM_NETWORK; - init_privilege(&map->priv_set); /* interim solution until we have a last RID allocated */ @@ -1287,23 +825,23 @@ int smb_delete_user_group(const char *unix_group, const char *unix_user) NTSTATUS pdb_default_getgrsid(struct pdb_methods *methods, GROUP_MAP *map, - DOM_SID sid, BOOL with_priv) + DOM_SID sid) { - return get_group_map_from_sid(sid, map, with_priv) ? + return get_group_map_from_sid(sid, map) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL; } NTSTATUS pdb_default_getgrgid(struct pdb_methods *methods, GROUP_MAP *map, - gid_t gid, BOOL with_priv) + gid_t gid) { - return get_group_map_from_gid(gid, map, with_priv) ? + return get_group_map_from_gid(gid, map) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL; } NTSTATUS pdb_default_getgrnam(struct pdb_methods *methods, GROUP_MAP *map, - char *name, BOOL with_priv) + const char *name) { - return get_group_map_from_ntname(name, map, with_priv) ? + return get_group_map_from_ntname(name, map) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL; } @@ -1331,10 +869,9 @@ NTSTATUS pdb_default_delete_group_mapping_entry(struct pdb_methods *methods, NTSTATUS pdb_default_enum_group_mapping(struct pdb_methods *methods, enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, int *num_entries, - BOOL unix_only, BOOL with_priv) + BOOL unix_only) { - return enum_group_mapping(sid_name_use, rmap, num_entries, unix_only, - with_priv) ? + return enum_group_mapping(sid_name_use, rmap, num_entries, unix_only) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL; } @@ -1343,19 +880,19 @@ NTSTATUS pdb_default_enum_group_mapping(struct pdb_methods *methods, *********************************************************************/ NTSTATUS pdb_nop_getgrsid(struct pdb_methods *methods, GROUP_MAP *map, - DOM_SID sid, BOOL with_priv) + DOM_SID sid) { return NT_STATUS_UNSUCCESSFUL; } NTSTATUS pdb_nop_getgrgid(struct pdb_methods *methods, GROUP_MAP *map, - gid_t gid, BOOL with_priv) + gid_t gid) { return NT_STATUS_UNSUCCESSFUL; } NTSTATUS pdb_nop_getgrnam(struct pdb_methods *methods, GROUP_MAP *map, - char *name, BOOL with_priv) + const char *name) { return NT_STATUS_UNSUCCESSFUL; } @@ -1381,7 +918,7 @@ NTSTATUS pdb_nop_delete_group_mapping_entry(struct pdb_methods *methods, NTSTATUS pdb_nop_enum_group_mapping(struct pdb_methods *methods, enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, int *num_entries, - BOOL unix_only, BOOL with_priv) + BOOL unix_only) { return NT_STATUS_UNSUCCESSFUL; } diff --git a/source3/include/mapping.h b/source3/include/mapping.h index d4f2d28e6a..fdaa2b0453 100644 --- a/source3/include/mapping.h +++ b/source3/include/mapping.h @@ -19,29 +19,9 @@ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ -#define PRIV_ALL_INDEX 5 - -#define SE_PRIV_NONE 0x0000 -#define SE_PRIV_ADD_MACHINES 0x0006 -#define SE_PRIV_SEC_PRIV 0x0008 -#define SE_PRIV_TAKE_OWNER 0x0009 -#define SE_PRIV_ADD_USERS 0xff01 -#define SE_PRIV_PRINT_OPERATOR 0xff03 -#define SE_PRIV_ALL 0xffff - #define ENUM_ONLY_MAPPED True #define ENUM_ALL_MAPPED False -#define MAPPING_WITH_PRIV True -#define MAPPING_WITHOUT_PRIV False - -#define PR_NONE 0x0000 -#define PR_LOG_ON_LOCALLY 0x0001 -#define PR_ACCESS_FROM_NETWORK 0x0002 -#define PR_LOG_ON_BATCH_JOB 0x0004 -#define PR_LOG_ON_SERVICE 0x0010 - - typedef struct _GROUP_MAP { struct pdb_methods *methods; gid_t gid; @@ -49,13 +29,5 @@ typedef struct _GROUP_MAP { enum SID_NAME_USE sid_name_use; fstring nt_name; fstring comment; - uint32 systemaccount; - PRIVILEGE_SET priv_set; } GROUP_MAP; -typedef struct _PRIVS { - uint32 se_priv; - const char *priv; - const char *description; -} PRIVS; - diff --git a/source3/include/passdb.h b/source3/include/passdb.h index e14e250d34..aeddcbcb3a 100644 --- a/source3/include/passdb.h +++ b/source3/include/passdb.h @@ -203,14 +203,11 @@ typedef struct pdb_context NTSTATUS (*pdb_delete_sam_account)(struct pdb_context *, SAM_ACCOUNT *username); - NTSTATUS (*pdb_getgrsid)(struct pdb_context *context, GROUP_MAP *map, - DOM_SID sid, BOOL with_priv); + NTSTATUS (*pdb_getgrsid)(struct pdb_context *context, GROUP_MAP *map, DOM_SID sid); - NTSTATUS (*pdb_getgrgid)(struct pdb_context *context, GROUP_MAP *map, - gid_t gid, BOOL with_priv); + NTSTATUS (*pdb_getgrgid)(struct pdb_context *context, GROUP_MAP *map, gid_t gid); - NTSTATUS (*pdb_getgrnam)(struct pdb_context *context, GROUP_MAP *map, - char *name, BOOL with_priv); + NTSTATUS (*pdb_getgrnam)(struct pdb_context *context, GROUP_MAP *map, const char *name); NTSTATUS (*pdb_add_group_mapping_entry)(struct pdb_context *context, GROUP_MAP *map); @@ -224,7 +221,7 @@ typedef struct pdb_context NTSTATUS (*pdb_enum_group_mapping)(struct pdb_context *context, enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, int *num_entries, - BOOL unix_only, BOOL with_priv); + BOOL unix_only); void (*free_fn)(struct pdb_context **); @@ -257,14 +254,11 @@ typedef struct pdb_methods NTSTATUS (*delete_sam_account)(struct pdb_methods *, SAM_ACCOUNT *username); - NTSTATUS (*getgrsid)(struct pdb_methods *methods, GROUP_MAP *map, - DOM_SID sid, BOOL with_priv); + NTSTATUS (*getgrsid)(struct pdb_methods *methods, GROUP_MAP *map, DOM_SID sid); - NTSTATUS (*getgrgid)(struct pdb_methods *methods, GROUP_MAP *map, - gid_t gid, BOOL with_priv); + NTSTATUS (*getgrgid)(struct pdb_methods *methods, GROUP_MAP *map, gid_t gid); - NTSTATUS (*getgrnam)(struct pdb_methods *methods, GROUP_MAP *map, - char *name, BOOL with_priv); + NTSTATUS (*getgrnam)(struct pdb_methods *methods, GROUP_MAP *map, const char *name); NTSTATUS (*add_group_mapping_entry)(struct pdb_methods *methods, GROUP_MAP *map); @@ -278,7 +272,7 @@ typedef struct pdb_methods NTSTATUS (*enum_group_mapping)(struct pdb_methods *methods, enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, int *num_entries, - BOOL unix_only, BOOL with_priv); + BOOL unix_only); void *private_data; /* Private data of some kind */ diff --git a/source3/include/privileges.h b/source3/include/privileges.h index 404c5d246b..67d8a2cbcc 100644 --- a/source3/include/privileges.h +++ b/source3/include/privileges.h @@ -23,6 +23,22 @@ #ifndef PRIVILEGES_H #define PRIVILEGES_H +#define PRIV_ALL_INDEX 5 + +#define SE_PRIV_NONE 0x0000 +#define SE_PRIV_ADD_MACHINES 0x0006 +#define SE_PRIV_SEC_PRIV 0x0008 +#define SE_PRIV_TAKE_OWNER 0x0009 +#define SE_PRIV_ADD_USERS 0xff01 +#define SE_PRIV_PRINT_OPERATOR 0xff03 +#define SE_PRIV_ALL 0xffff + +#define PR_NONE 0x0000 +#define PR_LOG_ON_LOCALLY 0x0001 +#define PR_ACCESS_FROM_NETWORK 0x0002 +#define PR_LOG_ON_BATCH_JOB 0x0004 +#define PR_LOG_ON_SERVICE 0x0010 + typedef struct LUID { uint32 low; @@ -42,4 +58,11 @@ typedef struct privilege_set LUID_ATTR *set; } PRIVILEGE_SET; -#endif /* _RPC_LSA_H */ +typedef struct _PRIVS { + uint32 se_priv; + const char *priv; + const char *description; +} PRIVS; + + +#endif /* PRIVILEGES_H */ diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index f34513b225..e2e0758845 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -413,7 +413,7 @@ NTSTATUS pdb_set_sam_sids(SAM_ACCOUNT *account_data, const struct passwd *pwd) } /* call the mapping code here */ - if(pdb_getgrgid(&map, pwd->pw_gid, MAPPING_WITHOUT_PRIV)) { + if(pdb_getgrgid(&map, pwd->pw_gid)) { if (!pdb_set_group_sid(account_data, &map.sid, PDB_SET)){ DEBUG(0,("Can't set Group SID!\n")); return NT_STATUS_INVALID_PARAMETER; @@ -717,7 +717,7 @@ BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use pdb_free_sam(&sam_account); - if (pdb_getgrsid(&map, *sid, MAPPING_WITHOUT_PRIV)) { + if (pdb_getgrsid(&map, *sid)) { if (map.gid!=(gid_t)-1) { DEBUG(5,("local_lookup_sid: mapped group %s to gid %u\n", map.nt_name, (unsigned int)map.gid)); } else { @@ -827,7 +827,7 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi */ /* check if it's a mapped group */ - if (pdb_getgrnam(&map, user, MAPPING_WITHOUT_PRIV)) { + if (pdb_getgrnam(&map, user)) { /* yes it's a mapped group */ sid_copy(&local_sid, &map.sid); *psid_name_use = map.sid_name_use; @@ -849,7 +849,7 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi * JFM, 30/11/2001 */ - if (pdb_getgrgid(&map, grp->gr_gid, MAPPING_WITHOUT_PRIV)){ + if (pdb_getgrgid(&map, grp->gr_gid)){ return False; } diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c index 7640228ab9..a78f07e829 100644 --- a/source3/passdb/pdb_interface.c +++ b/source3/passdb/pdb_interface.c @@ -258,7 +258,7 @@ static NTSTATUS context_delete_sam_account(struct pdb_context *context, SAM_ACCO } static NTSTATUS context_getgrsid(struct pdb_context *context, - GROUP_MAP *map, DOM_SID sid, BOOL with_priv) + GROUP_MAP *map, DOM_SID sid) { NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; @@ -269,7 +269,7 @@ static NTSTATUS context_getgrsid(struct pdb_context *context, } curmethods = context->pdb_methods; while (curmethods){ - ret = curmethods->getgrsid(curmethods, map, sid, with_priv); + ret = curmethods->getgrsid(curmethods, map, sid); if (NT_STATUS_IS_OK(ret)) { map->methods = curmethods; return ret; @@ -281,7 +281,7 @@ static NTSTATUS context_getgrsid(struct pdb_context *context, } static NTSTATUS context_getgrgid(struct pdb_context *context, - GROUP_MAP *map, gid_t gid, BOOL with_priv) + GROUP_MAP *map, gid_t gid) { NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; @@ -292,7 +292,7 @@ static NTSTATUS context_getgrgid(struct pdb_context *context, } curmethods = context->pdb_methods; while (curmethods){ - ret = curmethods->getgrgid(curmethods, map, gid, with_priv); + ret = curmethods->getgrgid(curmethods, map, gid); if (NT_STATUS_IS_OK(ret)) { map->methods = curmethods; return ret; @@ -304,7 +304,7 @@ static NTSTATUS context_getgrgid(struct pdb_context *context, } static NTSTATUS context_getgrnam(struct pdb_context *context, - GROUP_MAP *map, char *name, BOOL with_priv) + GROUP_MAP *map, char *name) { NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; @@ -315,7 +315,7 @@ static NTSTATUS context_getgrnam(struct pdb_context *context, } curmethods = context->pdb_methods; while (curmethods){ - ret = curmethods->getgrnam(curmethods, map, name, with_priv); + ret = curmethods->getgrnam(curmethods, map, name); if (NT_STATUS_IS_OK(ret)) { map->methods = curmethods; return ret; @@ -371,7 +371,7 @@ static NTSTATUS context_delete_group_mapping_entry(struct pdb_context *context, static NTSTATUS context_enum_group_mapping(struct pdb_context *context, enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, int *num_entries, - BOOL unix_only, BOOL with_priv) + BOOL unix_only) { NTSTATUS ret = NT_STATUS_UNSUCCESSFUL; @@ -382,8 +382,7 @@ static NTSTATUS context_enum_group_mapping(struct pdb_context *context, return context->pdb_methods->enum_group_mapping(context->pdb_methods, sid_name_use, rmap, - num_entries, unix_only, - with_priv); + num_entries, unix_only); } /****************************************************************** @@ -668,7 +667,7 @@ BOOL pdb_delete_sam_account(SAM_ACCOUNT *sam_acct) return NT_STATUS_IS_OK(pdb_context->pdb_delete_sam_account(pdb_context, sam_acct)); } -BOOL pdb_getgrsid(GROUP_MAP *map, DOM_SID sid, BOOL with_priv) +BOOL pdb_getgrsid(GROUP_MAP *map, DOM_SID sid) { struct pdb_context *pdb_context = pdb_get_static_context(False); @@ -677,10 +676,10 @@ BOOL pdb_getgrsid(GROUP_MAP *map, DOM_SID sid, BOOL with_priv) } return NT_STATUS_IS_OK(pdb_context-> - pdb_getgrsid(pdb_context, map, sid, with_priv)); + pdb_getgrsid(pdb_context, map, sid)); } -BOOL pdb_getgrgid(GROUP_MAP *map, gid_t gid, BOOL with_priv) +BOOL pdb_getgrgid(GROUP_MAP *map, gid_t gid) { struct pdb_context *pdb_context = pdb_get_static_context(False); @@ -689,10 +688,10 @@ BOOL pdb_getgrgid(GROUP_MAP *map, gid_t gid, BOOL with_priv) } return NT_STATUS_IS_OK(pdb_context-> - pdb_getgrgid(pdb_context, map, gid, with_priv)); + pdb_getgrgid(pdb_context, map, gid)); } -BOOL pdb_getgrnam(GROUP_MAP *map, char *name, BOOL with_priv) +BOOL pdb_getgrnam(GROUP_MAP *map, char *name) { struct pdb_context *pdb_context = pdb_get_static_context(False); @@ -701,7 +700,7 @@ BOOL pdb_getgrnam(GROUP_MAP *map, char *name, BOOL with_priv) } return NT_STATUS_IS_OK(pdb_context-> - pdb_getgrnam(pdb_context, map, name, with_priv)); + pdb_getgrnam(pdb_context, map, name)); } BOOL pdb_add_group_mapping_entry(GROUP_MAP *map) @@ -741,7 +740,7 @@ BOOL pdb_delete_group_mapping_entry(DOM_SID sid) } BOOL pdb_enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, - int *num_entries, BOOL unix_only, BOOL with_priv) + int *num_entries, BOOL unix_only) { struct pdb_context *pdb_context = pdb_get_static_context(False); @@ -751,8 +750,7 @@ BOOL pdb_enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, return NT_STATUS_IS_OK(pdb_context-> pdb_enum_group_mapping(pdb_context, sid_name_use, - rmap, num_entries, unix_only, - with_priv)); + rmap, num_entries, unix_only)); } /*************************************************************** diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c index e484818c5d..e8ba639073 100644 --- a/source3/passdb/pdb_ldap.c +++ b/source3/passdb/pdb_ldap.c @@ -1673,7 +1673,7 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state, { GROUP_MAP map; /* call the mapping code here */ - if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) { + if(pdb_getgrgid(&map, gid)) { pdb_set_group_sid(sampass, &map.sid, PDB_SET); } else { @@ -2815,9 +2815,6 @@ static BOOL init_group_from_ldap(struct ldapsam_privates *ldap_state, } fstrcpy(map->comment, temp); - map->systemaccount = 0; - init_privilege(&map->priv_set); - return True; } @@ -2906,7 +2903,7 @@ static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods, *********************************************************************/ static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map, - DOM_SID sid, BOOL with_priv) + DOM_SID sid) { pstring filter; @@ -2922,7 +2919,7 @@ static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map, *********************************************************************/ static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map, - gid_t gid, BOOL with_priv) + gid_t gid) { pstring filter; @@ -2938,7 +2935,7 @@ static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map, *********************************************************************/ static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map, - char *name, BOOL with_priv) + const char *name) { pstring filter; @@ -2989,7 +2986,7 @@ static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods, int rc; if (NT_STATUS_IS_OK(ldapsam_getgrgid(methods, &dummy, - map->gid, False))) { + map->gid))) { DEBUG(0, ("Group %i already exists in LDAP\n", map->gid)); return NT_STATUS_UNSUCCESSFUL; } @@ -3215,7 +3212,7 @@ static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods, static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods, enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, int *num_entries, - BOOL unix_only, BOOL with_priv) + BOOL unix_only) { GROUP_MAP map; GROUP_MAP *mapt; diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index 2a24d7faa5..93e97a7492 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -403,8 +403,16 @@ NTSTATUS _lsa_open_policy2(pipes_struct *p, LSA_Q_OPEN_POL2 *q_u, LSA_R_OPEN_POL /* get the generic lsa policy SD until we store it */ lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size); - if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) - return status; + if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) { + if (geteuid() != 0) { + return status; + } + DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n", + acc_granted, des_access)); + DEBUGADD(4,("but overwritten by euid == 0\n")); + acc_granted = des_access; + } + /* associate the domain SID with the (unique) handle. */ if ((info = (struct lsa_info *)malloc(sizeof(struct lsa_info))) == NULL) @@ -441,8 +449,15 @@ NTSTATUS _lsa_open_policy(pipes_struct *p, LSA_Q_OPEN_POL *q_u, LSA_R_OPEN_POL * /* get the generic lsa policy SD until we store it */ lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size); - if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) - return status; + if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) { + if (geteuid() != 0) { + return status; + } + DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n", + acc_granted, des_access)); + DEBUGADD(4,("but overwritten by euid == 0\n")); + acc_granted = des_access; + } /* associate the domain SID with the (unique) handle. */ if ((info = (struct lsa_info *)malloc(sizeof(struct lsa_info))) == NULL) @@ -844,7 +859,7 @@ NTSTATUS _lsa_enum_accounts(pipes_struct *p, LSA_Q_ENUM_ACCOUNTS *q_u, LSA_R_ENU return NT_STATUS_ACCESS_DENIED; /* get the list of mapped groups (domain, local, builtin) */ - if(!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV)) + if(!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED)) return NT_STATUS_OK; if (q_u->enum_context >= num_entries) @@ -949,8 +964,6 @@ NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, LSA_Q_ENUMPRIVSACCOUNT *q_u, LS { struct lsa_info *info=NULL; GROUP_MAP map; - int i=0; - LUID_ATTR *set=NULL; r_u->status = NT_STATUS_OK; @@ -959,9 +972,10 @@ NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, LSA_Q_ENUMPRIVSACCOUNT *q_u, LS if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; - if (!pdb_getgrsid(&map, info->sid, MAPPING_WITH_PRIV)) + if (!pdb_getgrsid(&map, info->sid)) return NT_STATUS_NO_SUCH_GROUP; +#if 0 /* privileges currently not implemented! */ DEBUG(10,("_lsa_enum_privsaccount: %d privileges\n", map.priv_set.count)); if (map.priv_set.count!=0) { @@ -982,6 +996,9 @@ NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, LSA_Q_ENUMPRIVSACCOUNT *q_u, LS init_lsa_r_enum_privsaccount(r_u, set, map.priv_set.count, 0); free_privilege(&map.priv_set); +#endif + + init_lsa_r_enum_privsaccount(r_u, set, 0, 0); return r_u->status; } @@ -1000,7 +1017,7 @@ NTSTATUS _lsa_getsystemaccount(pipes_struct *p, LSA_Q_GETSYSTEMACCOUNT *q_u, LSA if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; - if (!pdb_getgrsid(&map, info->sid, MAPPING_WITHOUT_PRIV)) + if (!pdb_getgrsid(&map, info->sid)) return NT_STATUS_NO_SUCH_GROUP; /* @@ -1012,7 +1029,7 @@ NTSTATUS _lsa_getsystemaccount(pipes_struct *p, LSA_Q_GETSYSTEMACCOUNT *q_u, LSA they can be ORed together */ - r_u->access=map.systemaccount; + r_u->access = PR_LOG_ON_LOCALLY | PR_ACCESS_FROM_NETWORK; return r_u->status; } @@ -1031,16 +1048,12 @@ NTSTATUS _lsa_setsystemaccount(pipes_struct *p, LSA_Q_SETSYSTEMACCOUNT *q_u, LSA if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; - if (!pdb_getgrsid(&map, info->sid, MAPPING_WITH_PRIV)) + if (!pdb_getgrsid(&map, info->sid)) return NT_STATUS_NO_SUCH_GROUP; - map.systemaccount=q_u->access; - if(!pdb_update_group_mapping_entry(&map)) return NT_STATUS_NO_SUCH_GROUP; - free_privilege(&map.priv_set); - return r_u->status; } @@ -1050,20 +1063,22 @@ NTSTATUS _lsa_setsystemaccount(pipes_struct *p, LSA_Q_SETSYSTEMACCOUNT *q_u, LSA NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u) { +#if 0 struct lsa_info *info=NULL; GROUP_MAP map; int i=0; - LUID_ATTR *luid_attr=NULL; PRIVILEGE_SET *set=NULL; +#endif r_u->status = NT_STATUS_OK; +#if 0 /* privileges are not implemented */ /* find the connection policy handle. */ if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; - if (!pdb_getgrsid(&map, info->sid, MAPPING_WITH_PRIV)) + if (!pdb_getgrsid(&map, info->sid)) return NT_STATUS_NO_SUCH_GROUP; set=&q_u->set; @@ -1085,6 +1100,7 @@ NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u free_privilege(&map.priv_set); +#endif return r_u->status; } @@ -1094,20 +1110,22 @@ NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u NTSTATUS _lsa_removeprivs(pipes_struct *p, LSA_Q_REMOVEPRIVS *q_u, LSA_R_REMOVEPRIVS *r_u) { +#if 0 struct lsa_info *info=NULL; GROUP_MAP map; int i=0; - LUID_ATTR *luid_attr=NULL; PRIVILEGE_SET *set=NULL; +#endif r_u->status = NT_STATUS_OK; +#if 0 /* privileges are not implemented */ /* find the connection policy handle. */ if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info)) return NT_STATUS_INVALID_HANDLE; - if (!pdb_getgrsid(&map, info->sid, MAPPING_WITH_PRIV)) + if (!pdb_getgrsid(&map, info->sid)) return NT_STATUS_NO_SUCH_GROUP; if (q_u->allrights!=0) { @@ -1141,7 +1159,7 @@ NTSTATUS _lsa_removeprivs(pipes_struct *p, LSA_Q_REMOVEPRIVS *q_u, LSA_R_REMOVEP return NT_STATUS_NO_SUCH_GROUP; free_privilege(&map.priv_set); - +#endif return r_u->status; } diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 40f6579e27..6039cac96c 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -304,7 +304,7 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid) become_root(); - if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV)) { + if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED)) { DEBUG(1, ("load_group_domain_entries: pdb_enum_group_mapping() failed!\n")); return NT_STATUS_NO_MEMORY; } @@ -900,7 +900,7 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM /* well-known aliases */ if (sid_equal(sid, &global_sid_Builtin) && !lp_hide_local_users()) { - pdb_enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV); + pdb_enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ONLY_MAPPED); if (num_entries != 0) { *d_grp=(DOMAIN_GRP *)talloc_zero(ctx, num_entries*sizeof(DOMAIN_GRP)); @@ -937,7 +937,7 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM for (; (num_entries < max_entries) && (grp != NULL); grp = grp->next) { uint32 trid; - if(!pdb_getgrgid(&smap, grp->gr_gid, MAPPING_WITHOUT_PRIV)) + if(!pdb_getgrgid(&smap, grp->gr_gid)) continue; if (smap.sid_name_use!=SID_NAME_ALIAS) { @@ -1018,7 +1018,7 @@ static NTSTATUS get_group_domain_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DO *p_num_entries = 0; - pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV); + pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED); num_entries=group_entries-start_idx; @@ -1346,7 +1346,7 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM !sid_check_is_in_builtin(&sid)) return NT_STATUS_OBJECT_TYPE_MISMATCH; - if (!pdb_getgrsid(&map, sid, MAPPING_WITHOUT_PRIV)) + if (!pdb_getgrsid(&map, sid)) return NT_STATUS_NO_SUCH_ALIAS; switch (q_u->switch_level) { @@ -3215,12 +3215,12 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_ if (sid_equal(&alias_sid, &global_sid_Builtin)) { DEBUG(10, ("lookup on Builtin SID (S-1-5-32)\n")); - if(!get_builtin_group_from_sid(als_sid, &map, MAPPING_WITHOUT_PRIV)) + if(!get_builtin_group_from_sid(als_sid, &map)) return NT_STATUS_NO_SUCH_ALIAS; } else { if (sid_equal(&alias_sid, get_global_sam_sid())) { DEBUG(10, ("lookup on Server SID\n")); - if(!get_local_group_from_sid(als_sid, &map, MAPPING_WITHOUT_PRIV)) + if(!get_local_group_from_sid(als_sid, &map)) return NT_STATUS_NO_SUCH_ALIAS; } } @@ -3321,7 +3321,7 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_ sid_append_rid(&group_sid, group_rid); DEBUG(10, ("lookup on Domain SID\n")); - if(!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV)) + if(!get_domain_group_from_sid(group_sid, &map)) return NT_STATUS_NO_SUCH_GROUP; if(!get_uid_list_of_group(map.gid, &uid, &num_uids)) @@ -3405,13 +3405,13 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD if (sid_compare(&alias_sid, get_global_sam_sid())>0) { DEBUG(10, ("adding member on Server SID\n")); - if(!get_local_group_from_sid(alias_sid, &map, MAPPING_WITHOUT_PRIV)) + if(!get_local_group_from_sid(alias_sid, &map)) return NT_STATUS_NO_SUCH_ALIAS; } else { if (sid_compare(&alias_sid, &global_sid_Builtin)>0) { DEBUG(10, ("adding member on BUILTIN SID\n")); - if( !get_local_group_from_sid(alias_sid, &map, MAPPING_WITHOUT_PRIV)) + if( !get_local_group_from_sid(alias_sid, &map)) return NT_STATUS_NO_SUCH_ALIAS; } else @@ -3502,7 +3502,7 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE return NT_STATUS_NO_SUCH_ALIAS; } - if( !get_local_group_from_sid(alias_sid, &map, MAPPING_WITHOUT_PRIV)) + if( !get_local_group_from_sid(alias_sid, &map)) return NT_STATUS_NO_SUCH_ALIAS; if ((grp=getgrgid(map.gid)) == NULL) @@ -3572,7 +3572,7 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD DEBUG(10, ("lookup on Domain SID\n")); - if(!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV)) + if(!get_domain_group_from_sid(group_sid, &map)) return NT_STATUS_NO_SUCH_GROUP; sid_copy(&user_sid, get_global_sam_sid()); @@ -3667,7 +3667,7 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE sid_copy(&user_sid, get_global_sam_sid()); sid_append_rid(&user_sid, q_u->rid); - if (!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV)) + if (!get_domain_group_from_sid(group_sid, &map)) return NT_STATUS_NO_SUCH_GROUP; if ((grp=getgrgid(map.gid)) == NULL) @@ -3812,7 +3812,7 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S DEBUG(10, ("lookup on Domain SID\n")); - if(!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV)) + if(!get_domain_group_from_sid(group_sid, &map)) return NT_STATUS_NO_SUCH_GROUP; gid=map.gid; @@ -3874,7 +3874,7 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S DEBUG(10, ("lookup on Local SID\n")); - if(!get_local_group_from_sid(alias_sid, &map, MAPPING_WITHOUT_PRIV)) + if(!get_local_group_from_sid(alias_sid, &map)) return NT_STATUS_NO_SUCH_ALIAS; gid=map.gid; @@ -3911,12 +3911,9 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S fstring sid_string; struct group *grp; struct samr_info *info; - PRIVILEGE_SET priv_set; uint32 acc_granted; gid_t gid; - init_privilege(&priv_set); - /* Find the policy handle. Open a policy on it. */ if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; @@ -3951,7 +3948,7 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S sid_append_rid(&info_sid, r_u->rid); sid_to_string(sid_string, &info_sid); - if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_DOM_GRP, name, NULL, priv_set, PR_ACCESS_FROM_NETWORK)) + if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_DOM_GRP, name, NULL)) return NT_STATUS_ACCESS_DENIED; if ((info = get_samr_info_by_sid(&info_sid)) == NULL) @@ -3976,12 +3973,9 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S fstring sid_string; struct group *grp; struct samr_info *info; - PRIVILEGE_SET priv_set; uint32 acc_granted; gid_t gid; - init_privilege(&priv_set); - /* Find the policy handle. Open a policy on it. */ if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid, &acc_granted)) return NT_STATUS_INVALID_HANDLE; @@ -4016,7 +4010,7 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S sid_to_string(sid_string, &info_sid); /* add the group to the mapping table */ - if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_ALIAS, name, NULL, priv_set, PR_ACCESS_FROM_NETWORK)) + if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_ALIAS, name, NULL)) return NT_STATUS_ACCESS_DENIED; if ((info = get_samr_info_by_sid(&info_sid)) == NULL) @@ -4052,7 +4046,7 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM return r_u->status; } - if (!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV)) + if (!get_domain_group_from_sid(group_sid, &map)) return NT_STATUS_INVALID_HANDLE; ctr=(GROUP_INFO_CTR *)talloc_zero(p->mem_ctx, sizeof(GROUP_INFO_CTR)); @@ -4104,7 +4098,7 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ return r_u->status; } - if (!get_domain_group_from_sid(group_sid, &map, MAPPING_WITH_PRIV)) + if (!get_domain_group_from_sid(group_sid, &map)) return NT_STATUS_NO_SUCH_GROUP; ctr=q_u->ctr; @@ -4117,17 +4111,13 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_ unistr2_to_ascii(map.comment, &(ctr->group.info4.uni_acct_desc), sizeof(map.comment)-1); break; default: - free_privilege(&map.priv_set); return NT_STATUS_INVALID_INFO_CLASS; } if(!pdb_update_group_mapping_entry(&map)) { - free_privilege(&map.priv_set); return NT_STATUS_NO_SUCH_GROUP; } - free_privilege(&map.priv_set); - return NT_STATUS_OK; } @@ -4151,7 +4141,7 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ return r_u->status; } - if (!get_local_group_from_sid(group_sid, &map, MAPPING_WITH_PRIV)) + if (!get_local_group_from_sid(group_sid, &map)) return NT_STATUS_NO_SUCH_GROUP; ctr=&q_u->ctr; @@ -4161,17 +4151,13 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_ unistr2_to_ascii(map.comment, &(ctr->alias.info3.uni_acct_desc), sizeof(map.comment)-1); break; default: - free_privilege(&map.priv_set); return NT_STATUS_INVALID_INFO_CLASS; } if(!pdb_update_group_mapping_entry(&map)) { - free_privilege(&map.priv_set); return NT_STATUS_NO_SUCH_GROUP; } - free_privilege(&map.priv_set); - return NT_STATUS_OK; } @@ -4246,7 +4232,7 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G DEBUG(10, ("_samr_open_group:Opening SID: %s\n", sid_string)); /* check if that group really exists */ - if (!get_domain_group_from_sid(info->sid, &map, MAPPING_WITHOUT_PRIV)) + if (!get_domain_group_from_sid(info->sid, &map)) return NT_STATUS_NO_SUCH_GROUP; /* get a (unique) handle. open a policy on it. */ diff --git a/source3/rpc_server/srv_util.c b/source3/rpc_server/srv_util.c index c43eb22375..a97864dbda 100644 --- a/source3/rpc_server/srv_util.c +++ b/source3/rpc_server/srv_util.c @@ -148,13 +148,14 @@ NTSTATUS get_alias_user_groups(TALLOC_CTX *ctx, DOM_SID *sid, int *numgroups, ui } for (i=0;i<num_groups;i++) { - if(!get_group_from_gid(groups[i], &map, MAPPING_WITHOUT_PRIV)) { + + if (!get_group_from_gid(groups[i], &map)) { DEBUG(10,("get_alias_user_groups: gid %d. not found\n", (int)groups[i])); continue; } /* if it's not an alias, continue */ - if (map.sid_name_use!=SID_NAME_ALIAS) { + if (map.sid_name_use != SID_NAME_ALIAS) { DEBUG(10,("get_alias_user_groups: not returing %s, not an ALIAS group.\n", map.nt_name)); continue; } @@ -208,7 +209,7 @@ NTSTATUS get_alias_user_groups(TALLOC_CTX *ctx, DOM_SID *sid, int *numgroups, ui DEBUG(10,("get_alias_user_groups: looking for gid %d of user %s\n", (int)gid, user_name)); - if(!get_group_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) { + if(!get_group_from_gid(gid, &map)) { DEBUG(0,("get_alias_user_groups: gid of user %s doesn't exist. Check your /etc/passwd and /etc/group files\n", user_name)); goto done; } @@ -281,7 +282,7 @@ BOOL get_domain_user_groups(TALLOC_CTX *ctx, int *numgroups, DOM_GID **pgids, SA DEBUG(10,("get_domain_user_groups: searching domain groups [%s] is a member of\n", user_name)); /* first get the list of the domain groups */ - if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, &num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV)) + if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, &num_entries, ENUM_ONLY_MAPPED)) return False; DEBUG(10,("get_domain_user_groups: there are %d mapped groups\n", num_entries)); diff --git a/source3/sam/idmap_util.c b/source3/sam/idmap_util.c index 012da29300..3f36e701f6 100644 --- a/source3/sam/idmap_util.c +++ b/source3/sam/idmap_util.c @@ -347,7 +347,7 @@ BOOL idmap_init_wellknown_sids(void) } /* now fill in group mappings */ - if(pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV)) { + if(pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED)) { int i; for (i = 0; i < num_entries; i++) { diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c index 98857c6d32..6976a06684 100644 --- a/source3/smbd/lanman.c +++ b/source3/smbd/lanman.c @@ -1649,7 +1649,7 @@ static BOOL api_RNetGroupEnum(connection_struct *conn,uint16 vuid, char *param,c return False; /* get list of domain groups SID_DOMAIN_GRP=2 */ - if(!pdb_enum_group_mapping(SID_NAME_DOM_GRP , &group_list, &num_entries, False, False)) { + if(!pdb_enum_group_mapping(SID_NAME_DOM_GRP , &group_list, &num_entries, False)) { DEBUG(3,("api_RNetGroupEnum:failed to get group list")); return False; } diff --git a/source3/utils/net.c b/source3/utils/net.c index 2b1609e225..0f43c4aad3 100644 --- a/source3/utils/net.c +++ b/source3/utils/net.c @@ -595,7 +595,7 @@ static uint32 get_maxrid(void) pdb_free_sam(&pwd); if (!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, - ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV)) + ENUM_ONLY_MAPPED)) return max_rid; for (i = 0; i < num_entries; i++) { diff --git a/source3/utils/net_groupmap.c b/source3/utils/net_groupmap.c index 905fdf6287..fd6e4aef59 100644 --- a/source3/utils/net_groupmap.c +++ b/source3/utils/net_groupmap.c @@ -65,7 +65,7 @@ static BOOL get_sid_from_input(DOM_SID *sid, char *input) if (StrnCaseCmp( input, "S-", 2)) { /* Perhaps its the NT group name? */ - if (!pdb_getgrnam(&map, input, MAPPING_WITHOUT_PRIV)) { + if (!pdb_getgrnam(&map, input)) { printf("NT Group %s doesn't exist in mapping DB\n", input); return False; } else { @@ -88,11 +88,9 @@ static void print_map_entry ( GROUP_MAP map, BOOL long_list ) { fstring string_sid; fstring group_type; - fstring priv_text; decode_sid_name_use(group_type, map.sid_name_use); sid_to_string(string_sid, &map.sid); - convert_priv_to_text(&(map.priv_set), priv_text); if (!long_list) d_printf("%s (%s) -> %s\n", map.nt_name, string_sid, gidtoname(map.gid)); @@ -102,7 +100,6 @@ static void print_map_entry ( GROUP_MAP map, BOOL long_list ) d_printf("\tUnix group: %s\n", gidtoname(map.gid)); d_printf("\tGroup type: %s\n", group_type); d_printf("\tComment : %s\n", map.comment); - d_printf("\tPrivilege : %s\n\n", priv_text); } } @@ -155,23 +152,21 @@ int net_groupmap_list(int argc, const char **argv) } /* Get the current mapping from the database */ - if(!pdb_getgrsid(&map, sid, MAPPING_WITH_PRIV)) { + if(!pdb_getgrsid(&map, sid)) { d_printf("Failure to local group SID in the database\n"); return -1; } print_map_entry( map, long_list ); - free_privilege(&(map.priv_set)); } else { GROUP_MAP *map=NULL; /* enumerate all group mappings */ - if ( !pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &entries, ENUM_ALL_MAPPED, MAPPING_WITH_PRIV) ) + if (!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &entries, ENUM_ALL_MAPPED)) return -1; for (i=0; i<entries; i++) { print_map_entry( map[i], long_list ); - free_privilege(&(map[i].priv_set)); } } @@ -184,7 +179,6 @@ int net_groupmap_list(int argc, const char **argv) int net_groupmap_add(int argc, const char **argv) { - PRIVILEGE_SET se_priv; DOM_SID sid; fstring ntgroup = ""; fstring unixgrp = ""; @@ -280,20 +274,11 @@ int net_groupmap_add(int argc, const char **argv) fstrcpy( ntgroup, unixgrp ); - init_privilege(&se_priv); -#if 0 - if (privilege!=NULL) - convert_priv_from_text(&se_priv, privilege); -#endif - - if (!add_initial_entry(gid, string_sid, sid_type, ntgroup, - ntcomment, se_priv, PR_ACCESS_FROM_NETWORK) ) { + if (!add_initial_entry(gid, string_sid, sid_type, ntgroup, ntcomment)) { d_printf("adding entry for group %s failed!\n", ntgroup); return -1; } - free_privilege(&se_priv); - d_printf("Successully added group %s to the mapping db\n", ntgroup); return 0; } @@ -381,7 +366,7 @@ int net_groupmap_modify(int argc, const char **argv) } /* Get the current mapping from the database */ - if(!pdb_getgrsid(&map, sid, MAPPING_WITH_PRIV)) { + if(!pdb_getgrsid(&map, sid)) { d_printf("Failure to local group SID in the database\n"); return -1; } @@ -390,9 +375,8 @@ int net_groupmap_modify(int argc, const char **argv) * Allow changing of group type only between domain and local * We disallow changing Builtin groups !!! (SID problem) */ - if ( sid_type != SID_NAME_UNKNOWN ) - { - if ( map.sid_name_use == SID_NAME_WKN_GRP ) { + if (sid_type != SID_NAME_UNKNOWN) { + if (map.sid_name_use == SID_NAME_WKN_GRP) { d_printf("You can only change between domain and local groups.\n"); return -1; } @@ -418,20 +402,11 @@ int net_groupmap_modify(int argc, const char **argv) map.gid = gid; } -#if 0 - /* Change the privilege if new one */ - if (privilege!=NULL) - convert_priv_from_text(&map.priv_set, privilege); -#endif - if ( !pdb_update_group_mapping_entry(&map) ) { d_printf("Could not update group database\n"); - free_privilege(&map.priv_set); return -1; } - free_privilege(&map.priv_set); - d_printf("Updated mapping entry for %s\n", ntgroup); return 0; diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c index 72231fd527..ada2d274ba 100644 --- a/source3/utils/net_rpc_samsync.c +++ b/source3/utils/net_rpc_samsync.c @@ -460,7 +460,7 @@ fetch_account_info(uint32 rid, SAM_ACCOUNT_INFO *delta) sid = *pdb_get_group_sid(sam_account); - if (!pdb_getgrsid(&map, sid, False)) { + if (!pdb_getgrsid(&map, sid)) { DEBUG(0, ("Primary group of %s has no mapping!\n", pdb_get_username(sam_account))); pdb_free_sam(&sam_account); @@ -518,7 +518,7 @@ fetch_group_info(uint32 rid, SAM_GROUP_INFO *delta) sid_append_rid(&group_sid, rid); sid_to_string(sid_string, &group_sid); - if (pdb_getgrsid(&map, group_sid, False)) { + if (pdb_getgrsid(&map, group_sid)) { grp = getgrgid(map.gid); insert = False; } @@ -544,9 +544,6 @@ fetch_group_info(uint32 rid, SAM_GROUP_INFO *delta) fstrcpy(map.nt_name, name); fstrcpy(map.comment, comment); - map.priv_set.count = 0; - map.priv_set.set = NULL; - if (insert) pdb_add_group_mapping_entry(&map); else @@ -573,7 +570,7 @@ fetch_group_mem_info(uint32 rid, SAM_GROUP_MEM_INFO *delta) sid_copy(&group_sid, get_global_sam_sid()); sid_append_rid(&group_sid, rid); - if (!get_domain_group_from_sid(group_sid, &map, False)) { + if (!get_domain_group_from_sid(group_sid, &map)) { DEBUG(0, ("Could not find global group %d\n", rid)); return NT_STATUS_NO_SUCH_GROUP; } @@ -698,7 +695,7 @@ static NTSTATUS fetch_alias_info(uint32 rid, SAM_ALIAS_INFO *delta, sid_append_rid(&alias_sid, rid); sid_to_string(sid_string, &alias_sid); - if (pdb_getgrsid(&map, alias_sid, False)) { + if (pdb_getgrsid(&map, alias_sid)) { grp = getgrgid(map.gid); insert = False; } @@ -728,9 +725,6 @@ static NTSTATUS fetch_alias_info(uint32 rid, SAM_ALIAS_INFO *delta, fstrcpy(map.nt_name, name); fstrcpy(map.comment, comment); - map.priv_set.count = 0; - map.priv_set.set = NULL; - if (insert) pdb_add_group_mapping_entry(&map); else diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c index d540bf42de..571775a741 100644 --- a/source3/utils/pdbedit.c +++ b/source3/utils/pdbedit.c @@ -91,7 +91,7 @@ static int export_groups (struct pdb_context *in, struct pdb_context *out) { if (NT_STATUS_IS_ERR(in->pdb_enum_group_mapping(in, SID_NAME_UNKNOWN, &maps, &entries, - False, False))) { + False))) { fprintf(stderr, "Can't get group mappings!\n"); return 1; } |