summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/groupdb/mapping.c215
-rw-r--r--source3/include/mapping.h26
-rw-r--r--source3/libsmb/cli_lsarpc.c2
-rw-r--r--source3/passdb/passdb.c39
-rw-r--r--source3/rpc_parse/parse_lsa.c9
-rw-r--r--source3/rpc_server/srv_lsa_nt.c12
-rw-r--r--source3/rpc_server/srv_samr_nt.c2
-rw-r--r--source3/utils/smbgroupedit.c56
8 files changed, 266 insertions, 95 deletions
diff --git a/source3/groupdb/mapping.c b/source3/groupdb/mapping.c
index 5173132af8..678824d812 100644
--- a/source3/groupdb/mapping.c
+++ b/source3/groupdb/mapping.c
@@ -30,11 +30,13 @@ static TDB_CONTEXT *tdb; /* used for driver files */
#define GROUP_PREFIX "UNIXGROUP/"
PRIVS privs[] = {
- {SE_PRIV_NONE, "no_privs", "No privilege"},
- {SE_PRIV_ADD_USERS, "add_users", "add users"},
- {SE_PRIV_ADD_MACHINES, "add_computers", "add computers to domain"},
- {SE_PRIV_PRINT_OPERATOR, "print_op", "printer operator"},
- {SE_PRIV_ALL, "all_privs", "all privileges"}
+ {SE_PRIV_NONE, "no_privs", "No privilege" }, /* this one MUST be first */
+ {SE_PRIV_ADD_MACHINES, "SeMachineAccountPrivilege", "Add workstations to the domain" },
+ {SE_PRIV_SEC_PRIV, "SeSecurityPrivilege", "Manage the audit logs" },
+ {SE_PRIV_TAKE_OWNER, "SeTakeOwnershipPrivilege", "Take ownership of file" },
+ {SE_PRIV_ADD_USERS, "SaAddUsers", "Add users to the domain - Samba" },
+ {SE_PRIV_PRINT_OPERATOR, "SaPrintOp", "Add or remove printers - Samba" },
+ {SE_PRIV_ALL, "SaAllPrivs", "all privileges" }
};
/*
PRIVS privs[] = {
@@ -61,6 +63,9 @@ PRIVS privs[] = {
{ 22, "SeSystemEnvironmentPrivilege" },
{ 23, "SeChangeNotifyPrivilege" },
{ 24, "SeRemoteShutdownPrivilege" },
+ { 25, "SeUndockPrivilege" },
+ { 26, "SeSyncAgentPrivilege" },
+ { 27, "SeEnableDelegationPrivilege" },
};
*/
@@ -157,11 +162,15 @@ BOOL add_mapping_entry(GROUP_MAP *map, int flag)
pstring key, buf;
fstring string_sid="";
int len;
+ int i;
sid_to_string(string_sid, &map->sid);
- len = tdb_pack(buf, sizeof(buf), "ddffd",
- map->gid, map->sid_name_use, map->nt_name, map->comment, map->privilege);
+ len = tdb_pack(buf, sizeof(buf), "ddff",
+ map->gid, map->sid_name_use, map->nt_name, map->comment);
+
+ for (i=0; i<PRIV_ALL_INDEX; i++)
+ len += tdb_pack(buf+len, sizeof(buf)-len, "d", map->privileges[i]);
if (len > sizeof(buf)) return False;
@@ -180,16 +189,18 @@ BOOL add_mapping_entry(GROUP_MAP *map, int flag)
initialise first time the mapping list
****************************************************************************/
BOOL add_initial_entry(gid_t gid, fstring sid, enum SID_NAME_USE sid_name_use,
- fstring nt_name, fstring comment, uint32 privilege)
+ fstring nt_name, fstring comment, uint32 *privilege)
{
GROUP_MAP map;
+ int i;
map.gid=gid;
string_to_sid(&map.sid, sid);
map.sid_name_use=sid_name_use;
fstrcpy(map.nt_name, nt_name);
fstrcpy(map.comment, comment);
- map.privilege=privilege;
+ for (i=0; i<PRIV_ALL_INDEX; i++)
+ map.privileges[i]=privilege[i];
add_mapping_entry(&map, TDB_INSERT);
@@ -197,6 +208,79 @@ BOOL add_initial_entry(gid_t gid, fstring sid, enum SID_NAME_USE sid_name_use,
}
/****************************************************************************
+initialise a privilege list
+****************************************************************************/
+void init_privilege(uint32 *privilege)
+{
+ int i;
+
+ for (i=0; i<PRIV_ALL_INDEX; i++)
+ privilege[i]=0;
+}
+
+/****************************************************************************
+add a privilege to a privilege array
+****************************************************************************/
+BOOL add_privilege(uint32 *privilege, uint32 priv)
+{
+ int i;
+
+ while (i<PRIV_ALL_INDEX && privilege[i]!=0 && privilege[i]!=priv)
+ i++;
+
+ if (i==PRIV_ALL_INDEX) {
+ DEBUG(10,("add_privilege: the privilege array is full, can't add new priv\n"));
+ return False;
+ }
+
+ if (privilege[i]==priv) {
+ DEBUG(10,("add_privilege: privilege already in array\n"));
+ return False;
+ }
+
+ if (privilege[i]==0)
+ privilege[i]=priv;
+
+ return True;
+}
+
+/****************************************************************************
+add all the privileges to a privilege array
+****************************************************************************/
+BOOL add_all_privilege(uint32 *privilege)
+{
+ add_privilege(privilege, SE_PRIV_ADD_USERS);
+ add_privilege(privilege, SE_PRIV_ADD_MACHINES);
+ add_privilege(privilege, SE_PRIV_PRINT_OPERATOR);
+}
+
+/****************************************************************************
+check if the privilege list is empty
+****************************************************************************/
+BOOL check_empty_privilege(uint32 *privilege)
+{
+ int i;
+
+ for (i=0; i<PRIV_ALL_INDEX; i++)
+ if(privilege[i]!=0)
+ return False;
+ return True;
+}
+
+/****************************************************************************
+check if the privilege is in the privilege list
+****************************************************************************/
+BOOL check_priv_in_privilege(uint32 *privilege, uint32 priv)
+{
+ int i;
+
+ for (i=0; i<PRIV_ALL_INDEX; i++)
+ if(privilege[i]==priv)
+ return True;
+ return False;
+}
+
+/****************************************************************************
initialise first time the mapping list
****************************************************************************/
BOOL default_group_mapping(void)
@@ -207,38 +291,50 @@ BOOL default_group_mapping(void)
fstring str_admins;
fstring str_users;
fstring str_guests;
+ int i;
+
+ uint32 privilege_none[PRIV_ALL_INDEX];
+ uint32 privilege_all[PRIV_ALL_INDEX];
+ uint32 privilege_print_op[PRIV_ALL_INDEX];
+
+ init_privilege(privilege_none);
+ init_privilege(privilege_all);
+ init_privilege(privilege_print_op);
+ add_privilege(privilege_print_op, SE_PRIV_PRINT_OPERATOR);
+
+ add_all_privilege(privilege_all);
/* Add the Wellknown groups */
- add_initial_entry(-1, "S-1-5-32-544", SID_NAME_WKN_GRP, "Administrators", "", SE_PRIV_ALL);
- add_initial_entry(-1, "S-1-5-32-545", SID_NAME_WKN_GRP, "Users", "", SE_PRIV_NONE);
- add_initial_entry(-1, "S-1-5-32-546", SID_NAME_WKN_GRP, "Guests", "", SE_PRIV_NONE);
- add_initial_entry(-1, "S-1-5-32-547", SID_NAME_WKN_GRP, "Power Users", "", SE_PRIV_NONE);
+ add_initial_entry(-1, "S-1-5-32-544", SID_NAME_WKN_GRP, "Administrators", "", privilege_all);
+ add_initial_entry(-1, "S-1-5-32-545", SID_NAME_WKN_GRP, "Users", "", privilege_none);
+ add_initial_entry(-1, "S-1-5-32-546", SID_NAME_WKN_GRP, "Guests", "", privilege_none);
+ add_initial_entry(-1, "S-1-5-32-547", SID_NAME_WKN_GRP, "Power Users", "", privilege_none);
- add_initial_entry(-1, "S-1-5-32-548", SID_NAME_WKN_GRP, "Account Operators", "", SE_PRIV_NONE);
- add_initial_entry(-1, "S-1-5-32-549", SID_NAME_WKN_GRP, "System Operators", "", SE_PRIV_NONE);
- add_initial_entry(-1, "S-1-5-32-550", SID_NAME_WKN_GRP, "Print Operators", "", SE_PRIV_PRINT_OPERATOR);
- add_initial_entry(-1, "S-1-5-32-551", SID_NAME_WKN_GRP, "Backup Operators", "", SE_PRIV_NONE);
+ add_initial_entry(-1, "S-1-5-32-548", SID_NAME_WKN_GRP, "Account Operators", "", privilege_none);
+ add_initial_entry(-1, "S-1-5-32-549", SID_NAME_WKN_GRP, "System Operators", "", privilege_none);
+ add_initial_entry(-1, "S-1-5-32-550", SID_NAME_WKN_GRP, "Print Operators", "", privilege_print_op);
+ add_initial_entry(-1, "S-1-5-32-551", SID_NAME_WKN_GRP, "Backup Operators", "", privilege_none);
- add_initial_entry(-1, "S-1-5-32-552", SID_NAME_WKN_GRP, "Replicators", "", SE_PRIV_NONE);
+ add_initial_entry(-1, "S-1-5-32-552", SID_NAME_WKN_GRP, "Replicators", "", privilege_none);
/* Add the defaults domain groups */
sid_copy(&sid_admins, &global_sam_sid);
sid_append_rid(&sid_admins, DOMAIN_GROUP_RID_ADMINS);
sid_to_string(str_admins, &sid_admins);
- add_initial_entry(-1, str_admins, SID_NAME_DOM_GRP, "Domain Admins", "", SE_PRIV_ALL);
+ add_initial_entry(-1, str_admins, SID_NAME_DOM_GRP, "Domain Admins", "", privilege_all);
sid_copy(&sid_users, &global_sam_sid);
sid_append_rid(&sid_users, DOMAIN_GROUP_RID_USERS);
sid_to_string(str_users, &sid_users);
- add_initial_entry(-1, str_users, SID_NAME_DOM_GRP, "Domain Users", "", SE_PRIV_NONE);
+ add_initial_entry(-1, str_users, SID_NAME_DOM_GRP, "Domain Users", "", privilege_none);
sid_copy(&sid_guests, &global_sam_sid);
sid_append_rid(&sid_guests, DOMAIN_GROUP_RID_GUESTS);
sid_to_string(str_guests, &sid_guests);
- add_initial_entry(-1, str_guests, SID_NAME_DOM_GRP, "Domain Guests", "", SE_PRIV_NONE);
+ add_initial_entry(-1, str_guests, SID_NAME_DOM_GRP, "Domain Guests", "", privilege_none);
return True;
}
@@ -253,6 +349,7 @@ BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map)
pstring key;
fstring string_sid;
int ret;
+ int i;
/* the key is the SID, retrieving is direct */
@@ -265,12 +362,15 @@ BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map)
dbuf = tdb_fetch(tdb, kbuf);
if (!dbuf.dptr) return False;
- ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
- &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->privilege);
+ ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
+ &map->gid, &map->sid_name_use, &map->nt_name, &map->comment);
+
+ for (i=0; i<PRIV_ALL_INDEX; i++)
+ ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &map->privileges[i]);
SAFE_FREE(dbuf.dptr);
if (ret != dbuf.dsize) {
- DEBUG(0,("get_group_map_from_sid: mapping TDB corrupted ?\n"));
+ DEBUG(0,("get_group_map_from_sid: group mapping TDB corrupted ?\n"));
return False;
}
@@ -288,6 +388,7 @@ BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map)
TDB_DATA kbuf, dbuf, newkey;
fstring string_sid;
int ret;
+ int i;
/* we need to enumerate the TDB to find the GID */
@@ -304,8 +405,11 @@ BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map)
string_to_sid(&map->sid, string_sid);
- ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
- &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->privilege);
+ ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
+ &map->gid, &map->sid_name_use, &map->nt_name, &map->comment);
+
+ for (i=0; i<PRIV_ALL_INDEX; i++)
+ ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &map->privileges[i]);
SAFE_FREE(dbuf.dptr);
if (ret != dbuf.dsize) continue;
@@ -325,8 +429,9 @@ BOOL get_group_map_from_ntname(char *name, GROUP_MAP *map)
TDB_DATA kbuf, dbuf, newkey;
fstring string_sid;
int ret;
+ int i;
- /* we need to enumerate the TDB to find the GID */
+ /* we need to enumerate the TDB to find the SID */
for (kbuf = tdb_firstkey(tdb);
kbuf.dptr;
@@ -341,8 +446,11 @@ BOOL get_group_map_from_ntname(char *name, GROUP_MAP *map)
string_to_sid(&map->sid, string_sid);
- ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
- &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->privilege);
+ ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
+ &map->gid, &map->sid_name_use, &map->nt_name, &map->comment);
+
+ for (i=0; i<PRIV_ALL_INDEX; i++)
+ ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &map->privileges[i]);
SAFE_FREE(dbuf.dptr);
if (ret != dbuf.dsize) continue;
@@ -397,6 +505,7 @@ BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap,
GROUP_MAP *mapt;
int ret;
int entries=0;
+ int i;
*num_entries=0;
*rmap=NULL;
@@ -414,8 +523,11 @@ BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap,
fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX));
- ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
- &map.gid, &map.sid_name_use, &map.nt_name, &map.comment, &map.privilege);
+ ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
+ &map.gid, &map.sid_name_use, &map.nt_name, &map.comment);
+
+ for (i=0; i<PRIV_ALL_INDEX; i++)
+ ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &map.privileges[i]);
SAFE_FREE(dbuf.dptr);
if (ret != dbuf.dsize)
@@ -445,7 +557,8 @@ BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap,
mapt[entries].sid_name_use = map.sid_name_use;
fstrcpy(mapt[entries].nt_name, map.nt_name);
fstrcpy(mapt[entries].comment, map.comment);
- mapt[entries].privilege = map.privilege;
+ for (i=0; i<PRIV_ALL_INDEX; i++)
+ mapt[entries].privileges[i] = map.privileges[i];
entries++;
}
@@ -456,7 +569,7 @@ BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap,
/****************************************************************************
-convert a privilege list to a privilege value
+convert a privilege string to a privilege array
****************************************************************************/
void convert_priv_from_text(uint32 *se_priv, char *privilege)
{
@@ -465,46 +578,44 @@ void convert_priv_from_text(uint32 *se_priv, char *privilege)
int i;
/* By default no privilege */
- (*se_priv)=0x0;
-
+ init_privilege(se_priv);
+
if (privilege==NULL)
return;
while(next_token(&p, tok, " ", sizeof(tok)) ) {
for (i=0; i<=PRIV_ALL_INDEX; i++) {
if (StrCaseCmp(privs[i].priv, tok)==0)
- (*se_priv)+=privs[i].se_priv;
+ add_privilege(se_priv, privs[i].se_priv);
}
}
}
/****************************************************************************
-convert a privilege value to a privilege list
+convert a privilege array to a privilege string
****************************************************************************/
-void convert_priv_to_text(uint32 se_priv, char *privilege)
+void convert_priv_to_text(uint32 *se_priv, char *privilege)
{
- int i;
+ int i=0,j;
if (privilege==NULL)
return;
ZERO_STRUCTP(privilege);
- if (se_priv==SE_PRIV_NONE) {
- fstrcat(privilege, privs[0].priv);
+ if (check_empty_privilege(se_priv)) {
+ fstrcat(privilege, "No privilege");
return;
}
- if (se_priv==SE_PRIV_ALL) {
- fstrcat(privilege, privs[PRIV_ALL_INDEX].priv);
- return;
- }
+ while(i<PRIV_ALL_INDEX && se_priv[i]!=0) {
+ j=1;
+ while (privs[j].se_priv!=se_priv[i])
+ j++;
- for (i=1; privs[i].se_priv!=SE_PRIV_ALL; i++) {
- if ( (se_priv & privs[i].se_priv) == privs[i].se_priv) {
- fstrcat(privilege, privs[i].priv);
- fstrcat(privilege, " ");
- }
+ fstrcat(privilege, privs[j].priv);
+ fstrcat(privilege, " ");
+ i++;
}
}
@@ -585,7 +696,7 @@ BOOL get_local_group_from_sid(DOM_SID sid, GROUP_MAP *map)
fstrcpy(map->nt_name, grp->gr_name);
fstrcpy(map->comment, "Local Unix Group");
- map->privilege=SE_PRIV_NONE;
+ init_privilege(map->privileges);
sid_copy(&map->sid, &sid);
}
@@ -632,7 +743,7 @@ BOOL get_group_from_gid(gid_t gid, GROUP_MAP *map)
if (!get_group_map_from_gid(gid, map)) {
map->gid=gid;
map->sid_name_use=SID_NAME_ALIAS;
- map->privilege=SE_PRIV_NONE;
+ init_privilege(map->privileges);
sid_copy(&map->sid, &global_sam_sid);
sid_append_rid(&map->sid, pdb_gid_to_group_rid(gid));
diff --git a/source3/include/mapping.h b/source3/include/mapping.h
index f016e148ba..9a64eefa56 100644
--- a/source3/include/mapping.h
+++ b/source3/include/mapping.h
@@ -20,13 +20,26 @@
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
+#define PRIV_ALL_INDEX 5
+
+#define SE_PRIV_NONE 0x0000
+#define SE_PRIV_ADD_MACHINES 0x0006
+#define SE_PRIV_SEC_PRIV 0x0008
+#define SE_PRIV_TAKE_OWNER 0x0009
+#define SE_PRIV_ADD_USERS 0xff01
+#define SE_PRIV_PRINT_OPERATOR 0xff03
+#define SE_PRIV_ALL 0xffff
+
+#define ENUM_ONLY_MAPPED True
+#define ENUM_ALL_MAPPED False
+
typedef struct _GROUP_MAP {
gid_t gid;
DOM_SID sid;
enum SID_NAME_USE sid_name_use;
fstring nt_name;
fstring comment;
- uint32 privilege;
+ uint32 privileges[PRIV_ALL_INDEX];
} GROUP_MAP;
typedef struct _PRIVS {
@@ -35,14 +48,3 @@ typedef struct _PRIVS {
char *description;
} PRIVS;
-#define SE_PRIV_NONE 0x0000
-#define SE_PRIV_ADD_USERS 0x0001
-#define SE_PRIV_ADD_MACHINES 0x0002
-#define SE_PRIV_PRINT_OPERATOR 0x0004
-#define SE_PRIV_ALL 0xffff
-
-#define PRIV_ALL_INDEX 3
-
-
-#define ENUM_ONLY_MAPPED True
-#define ENUM_ALL_MAPPED False
diff --git a/source3/libsmb/cli_lsarpc.c b/source3/libsmb/cli_lsarpc.c
index 97f604fcb5..e944734292 100644
--- a/source3/libsmb/cli_lsarpc.c
+++ b/source3/libsmb/cli_lsarpc.c
@@ -787,6 +787,8 @@ NTSTATUS cli_lsa_enum_sids(struct cli_state *cli, TALLOC_CTX *mem_ctx,
goto done;
}
+ if (r.sids.num_entries==0)
+ goto done;
/* Return output parameters */
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index 823feadea7..dc8e5471e1 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -75,7 +75,6 @@ static BOOL pdb_fill_default_sam(SAM_ACCOUNT *user)
user->logoff_time =
user->kickoff_time =
user->pass_must_change_time = get_time_t_max();
-
user->unknown_3 = 0x00ffffff; /* don't know */
user->logon_divs = 168; /* hours per week */
user->hours_len = 21; /* 21 times 8 bits = 168 */
@@ -536,6 +535,11 @@ BOOL local_lookup_rid(uint32 rid, char *name, enum SID_NAME_USE *psid_name_use)
} else {
gid_t gid;
struct group *gr;
+ GROUP_MAP map;
+ DOM_SID local_sid;
+
+ sid_copy(&local_sid, &global_sam_sid);
+ sid_append_rid(&local_sid, rid);
/*
* Don't try to convert the rid to a name if running
@@ -544,6 +548,16 @@ BOOL local_lookup_rid(uint32 rid, char *name, enum SID_NAME_USE *psid_name_use)
if (lp_hide_local_users())
return False;
+
+ /* check if it's a mapped group */
+ if (get_group_map_from_sid(local_sid, &map)) {
+ if (map.gid!=-1) {
+ DEBUG(5,("local_local_rid: mapped group %s to gid %u\n", map.nt_name, (unsigned int)map.gid));
+ fstrcpy(name, map.nt_name);
+ *psid_name_use = map.sid_name_use;
+ return True;
+ }
+ }
gid = pdb_user_rid_to_gid(rid);
gr = getgrgid(gid);
@@ -617,13 +631,24 @@ BOOL local_lookup_name(const char *c_domain, const char *c_user, DOM_SID *psid,
/*
* Maybe it was a group ?
*/
- struct group *grp = getgrnam(user);
-
- if(!grp)
- return False;
+ struct group *grp;
+ GROUP_MAP map;
+
+ /* check if it's a mapped group */
+ if (get_group_map_from_ntname(user, &map)) {
+ if (map.gid!=-1) {
+ /* yes it's a mapped group to a valid unix group */
+ sid_copy(&local_sid, &map.sid);
+ *psid_name_use = map.sid_name_use;
+ }
+ } else {
+ grp = getgrnam(user);
+ if(!grp)
+ return False;
- sid_append_rid( &local_sid, pdb_gid_to_group_rid(grp->gr_gid));
- *psid_name_use = SID_NAME_ALIAS;
+ sid_append_rid( &local_sid, pdb_gid_to_group_rid(grp->gr_gid));
+ *psid_name_use = SID_NAME_ALIAS;
+ }
}
sid_copy( psid, &local_sid);
diff --git a/source3/rpc_parse/parse_lsa.c b/source3/rpc_parse/parse_lsa.c
index 6d5332794f..10a9efbe49 100644
--- a/source3/rpc_parse/parse_lsa.c
+++ b/source3/rpc_parse/parse_lsa.c
@@ -854,6 +854,15 @@ static BOOL lsa_io_sid_enum(char *desc, LSA_SID_ENUM *sen, prs_struct *ps,
return False;
if(!prs_uint32("ptr_sid_enum", ps, depth, &sen->ptr_sid_enum))
return False;
+
+ /*
+ if the ptr is NULL, leave here. checked from a real w2k trace.
+ JFM, 11/23/2001
+ */
+
+ if (sen->ptr_sid_enum==0)
+ return True;
+
if(!prs_uint32("num_entries2", ps, depth, &sen->num_entries2))
return False;
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index f221582d86..03d48aa5e7 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -543,7 +543,7 @@ NTSTATUS _lsa_enum_privs(pipes_struct *p, LSA_Q_ENUM_PRIVS *q_u, LSA_R_ENUM_PRIV
return NT_STATUS_INVALID_HANDLE;
if (enum_context >= PRIV_ALL_INDEX)
- return NT_STATUS_UNABLE_TO_FREE_VM;
+ return NT_STATUS_NO_MORE_ENTRIES;
entries = (LSA_PRIV_ENTRY *)talloc_zero(p->mem_ctx, sizeof(LSA_PRIV_ENTRY) * (PRIV_ALL_INDEX));
if (entries==NULL)
@@ -625,6 +625,9 @@ NTSTATUS _lsa_enum_accounts(pipes_struct *p, LSA_Q_ENUM_ACCOUNTS *q_u, LSA_R_ENU
if(!enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED))
return NT_STATUS_OK;
+ if (q_u->enum_context >= num_entries)
+ return NT_STATUS_NO_MORE_ENTRIES;
+
sids->ptr_sid = (uint32 *)talloc_zero(p->mem_ctx, (num_entries-q_u->enum_context)*sizeof(uint32));
sids->sid = (DOM_SID2 *)talloc_zero(p->mem_ctx, (num_entries-q_u->enum_context)*sizeof(DOM_SID2));
@@ -707,7 +710,7 @@ NTSTATUS _lsa_open_account(pipes_struct *p, LSA_Q_OPENACCOUNT *q_u, LSA_R_OPENAC
}
/***************************************************************************
-
+ For a given SID, enumerate all the privilege this account has.
***************************************************************************/
NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, LSA_Q_ENUMPRIVSACCOUNT *q_u, LSA_R_ENUMPRIVSACCOUNT *r_u)
@@ -729,7 +732,7 @@ NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, LSA_Q_ENUMPRIVSACCOUNT *q_u, LS
return NT_STATUS_NO_SUCH_GROUP;
for (i=1; privs[i].se_priv!=SE_PRIV_ALL; i++) {
- if ( (map.privilege & privs[i].se_priv) == privs[i].se_priv) {
+ if ( check_priv_in_privilege(map.privileges, privs[i].se_priv)) {
set=(LUID_ATTR *)talloc_realloc(p->mem_ctx, set, (count+1)*sizeof(LUID_ATTR));
if (set == NULL) return NT_STATUS_NO_MEMORY;
@@ -738,8 +741,7 @@ NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, LSA_Q_ENUMPRIVSACCOUNT *q_u, LS
set[count].luid.high=1;
set[count].attr=0;
- count++;
-
+ count++;
}
}
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index c872c9f99f..f1f3040ba4 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -810,7 +810,7 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM
/* well-known aliases */
if (sid_equal(sid, &global_sid_Builtin) && !lp_hide_local_users()) {
- enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ALL_MAPPED);
+ enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ONLY_MAPPED);
if (num_entries != 0) {
*d_grp=(DOMAIN_GRP *)talloc_zero(ctx, num_entries*sizeof(DOMAIN_GRP));
diff --git a/source3/utils/smbgroupedit.c b/source3/utils/smbgroupedit.c
index 8d99e8e600..b6138fa576 100644
--- a/source3/utils/smbgroupedit.c
+++ b/source3/utils/smbgroupedit.c
@@ -38,7 +38,7 @@ extern int optind;
static void usage(void)
{
if (getuid() == 0) {
- printf("groupedit options\n");
+ printf("smbgroupedit options\n");
} else {
printf("You need to be root to use this tool!\n");
}
@@ -47,6 +47,8 @@ static void usage(void)
printf(" -n group NT group name\n");
printf(" -p privilege only local\n");
printf(" -v list groups\n");
+ printf(" -l long list (include details)\n");
+ printf(" -s short list (default)\n");
printf(" -c SID change group\n");
printf(" -u unix group\n");
printf(" -x group delete this group\n");
@@ -60,16 +62,12 @@ static void usage(void)
**********************************************************/
int addgroup(char *group, enum SID_NAME_USE sid_type, char *ntgroup, char *ntcomment, char *privilege)
{
- uint32 se_priv;
+ uint32 se_priv[PRIV_ALL_INDEX];
gid_t gid;
DOM_SID sid;
fstring string_sid;
fstring name, comment;
-/* convert_priv_from_text(&se_priv, privilege);*/
-
- se_priv=0x0;
-
gid=nametogid(group);
if (gid==-1)
return -1;
@@ -87,6 +85,10 @@ int addgroup(char *group, enum SID_NAME_USE sid_type, char *ntgroup, char *ntcom
else
fstrcpy(comment, ntcomment);
+ init_privilege(se_priv);
+ if (privilege!=NULL)
+ convert_priv_from_text(se_priv, privilege);
+
if(!add_initial_entry(gid, string_sid, sid_type, name, comment, se_priv))
return -1;
@@ -101,7 +103,7 @@ int changegroup(char *sid_string, char *group, enum SID_NAME_USE sid_type, char
DOM_SID sid;
GROUP_MAP map;
gid_t gid;
- uint32 se_priv;
+ uint32 se_priv[PRIV_ALL_INDEX];
string_to_sid(&sid, sid_string);
@@ -139,8 +141,10 @@ int changegroup(char *sid_string, char *group, enum SID_NAME_USE sid_type, char
/* Change the privilege if new one */
if (privilege!=NULL) {
- convert_priv_from_text(&se_priv, privilege);
- map.privilege=se_priv;
+ int i;
+ convert_priv_from_text(se_priv, privilege);
+ for(i=0; i<PRIV_ALL_INDEX; i++)
+ map.privileges[i]=se_priv[i];
}
if (!add_mapping_entry(&map, TDB_REPLACE)) {
@@ -169,7 +173,7 @@ BOOL deletegroup(char *group)
/*********************************************************
List the groups.
**********************************************************/
-int listgroup(enum SID_NAME_USE sid_type)
+int listgroup(enum SID_NAME_USE sid_type, BOOL long_list)
{
int entries,i;
GROUP_MAP *map=NULL;
@@ -177,7 +181,8 @@ int listgroup(enum SID_NAME_USE sid_type)
fstring group_type;
fstring priv_text;
- printf("Unix\tSID\ttype\tnt name\tnt comment\tprivilege\n");
+ if (!long_list)
+ printf("NT group (SID) -> Unix group\n");
if (!enum_group_mapping(sid_type, &map, &entries, ENUM_ALL_MAPPED))
return -1;
@@ -185,10 +190,18 @@ int listgroup(enum SID_NAME_USE sid_type)
for (i=0; i<entries; i++) {
decode_sid_name_use(group_type, (map[i]).sid_name_use);
sid_to_string(string_sid, &map[i].sid);
- convert_priv_to_text(map[i].privilege, priv_text);
-
- printf("%s\t%s\t%s\n\t%s\t%s\t%s\n\n", gidtoname(map[i].gid), map[i].nt_name, string_sid,
- group_type, map[i].comment, priv_text);
+ convert_priv_to_text(map[i].privileges, priv_text);
+
+ if (!long_list)
+ printf("%s (%s) -> %s\n", map[i].nt_name, string_sid, gidtoname(map[i].gid));
+ else {
+ printf("%s\n", map[i].nt_name);
+ printf("\tSID : %s\n", string_sid);
+ printf("\tUnix group: %s\n", gidtoname(map[i].gid));
+ printf("\tGroup type: %s\n", group_type);
+ printf("\tComment : %s\n", map[i].comment);
+ printf("\tPrivilege : %s\n\n", priv_text);
+ }
}
return 0;
@@ -207,7 +220,8 @@ int main (int argc, char **argv)
BOOL nt_group = False;
BOOL priv = False;
BOOL group_type = False;
-
+ BOOL long_list = False;
+
char *group = NULL;
char *sid = NULL;
char *ntgroup = NULL;
@@ -235,7 +249,7 @@ int main (int argc, char **argv)
exit(1);
}
- while ((ch = getopt(argc, argv, "a:c:d:n:p:t:u:vx:")) != EOF) {
+ while ((ch = getopt(argc, argv, "a:c:d:ln:p:st:u:vx:")) != EOF) {
switch(ch) {
case 'a':
add_group = True;
@@ -248,6 +262,9 @@ int main (int argc, char **argv)
case 'd':
group_desc=optarg;
break;
+ case 'l':
+ long_list = True;
+ break;
case 'n':
nt_group = True;
ntgroup=optarg;
@@ -256,6 +273,9 @@ int main (int argc, char **argv)
priv = True;
privilege=optarg;
break;
+ case 's':
+ long_list = False;
+ break;
case 't':
group_type = True;
groupt=optarg;
@@ -325,7 +345,7 @@ int main (int argc, char **argv)
return addgroup(group, sid_type, ntgroup, group_desc, privilege);
if (view_group)
- return listgroup(sid_type);
+ return listgroup(sid_type, long_list);
if (delete_group)
return deletegroup(group);