From 29d27297d0f77cb9d8a03f011e14f0569dc88225 Mon Sep 17 00:00:00 2001
From: Günther Deschner <gd@samba.org>
Date: Thu, 23 Oct 2008 19:24:41 +0200
Subject: s3-samr: remove duplicate copies of SAM user specific access rights.

Guenther
---
 source3/include/rpc_secdes.h     | 43 ----------------------------------------
 source3/librpc/gen_ndr/samr.h    | 10 ++++++++++
 source3/rpc_server/srv_samr_nt.c | 26 ++++++++++++------------
 3 files changed, 23 insertions(+), 56 deletions(-)

diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h
index cb0854eb71..6b30c6d40a 100644
--- a/source3/include/rpc_secdes.h
+++ b/source3/include/rpc_secdes.h
@@ -254,49 +254,6 @@ struct standard_mapping {
 		SA_RIGHT_DOMAIN_ENUM_ACCOUNTS	| \
 		SA_RIGHT_DOMAIN_LOOKUP_INFO_1)            
 
-
-/* User Object specific access rights */
-
-#define SA_RIGHT_USER_GET_NAME_ETC	0x00000001
-#define SA_RIGHT_USER_GET_LOCALE	0x00000002
-#define SA_RIGHT_USER_SET_LOC_COM	0x00000004
-#define SA_RIGHT_USER_GET_LOGONINFO	0x00000008
-#define SA_RIGHT_USER_ACCT_FLAGS_EXPIRY	0x00000010
-#define SA_RIGHT_USER_SET_ATTRIBUTES	0x00000020
-#define SA_RIGHT_USER_CHANGE_PASSWORD	0x00000040
-#define SA_RIGHT_USER_SET_PASSWORD	0x00000080
-#define SA_RIGHT_USER_GET_GROUPS	0x00000100
-#define SA_RIGHT_USER_READ_GROUP_MEM	0x00000200
-#define SA_RIGHT_USER_CHANGE_GROUP_MEM	0x00000400
-
-#define SA_RIGHT_USER_ALL_ACCESS	0x000007FF
-
-#define GENERIC_RIGHTS_USER_ALL_ACCESS \
-		(STANDARD_RIGHTS_REQUIRED_ACCESS| \
-		SA_RIGHT_USER_ALL_ACCESS)	/* 0x000f07ff */
-
-#define GENERIC_RIGHTS_USER_READ \
-		(STANDARD_RIGHTS_READ_ACCESS	| \
-		SA_RIGHT_USER_READ_GROUP_MEM	| \
-		SA_RIGHT_USER_GET_GROUPS	| \
-		SA_RIGHT_USER_ACCT_FLAGS_EXPIRY	| \
-		SA_RIGHT_USER_GET_LOGONINFO	| \
-		SA_RIGHT_USER_GET_LOCALE)	/* 0x0002031a */
-
-#define GENERIC_RIGHTS_USER_WRITE \
-		(STANDARD_RIGHTS_WRITE_ACCESS	| \
-		SA_RIGHT_USER_CHANGE_PASSWORD	| \
-		SA_RIGHT_USER_SET_LOC_COM	| \
-		SA_RIGHT_USER_SET_ATTRIBUTES	| \
-		SA_RIGHT_USER_SET_PASSWORD	| \
-		SA_RIGHT_USER_CHANGE_GROUP_MEM)	/* 0x000204e4 */
-
-#define GENERIC_RIGHTS_USER_EXECUTE \
-		(STANDARD_RIGHTS_EXECUTE_ACCESS	| \
-		SA_RIGHT_USER_CHANGE_PASSWORD	| \
-		SA_RIGHT_USER_GET_NAME_ETC )	/* 0x00020041 */
-
-
 /* Group Object specific access rights */
 
 #define SA_RIGHT_GROUP_LOOKUP_INFO	0x00000001
diff --git a/source3/librpc/gen_ndr/samr.h b/source3/librpc/gen_ndr/samr.h
index 62f6bf8de6..d2492d6d24 100644
--- a/source3/librpc/gen_ndr/samr.h
+++ b/source3/librpc/gen_ndr/samr.h
@@ -8,6 +8,16 @@
 #ifndef _HEADER_samr
 #define _HEADER_samr
 
+#define SAMR_ACCESS_ALL_ACCESS	( 0x0000003F )
+#define GENERIC_RIGHTS_SAM_ALL_ACCESS	( (STANDARD_RIGHTS_REQUIRED_ACCESS|SAMR_ACCESS_ALL_ACCESS) )
+#define GENERIC_RIGHTS_SAM_READ	( (STANDARD_RIGHTS_READ_ACCESS|SAMR_ACCESS_ENUM_DOMAINS) )
+#define GENERIC_RIGHTS_SAM_WRITE	( (STANDARD_RIGHTS_WRITE_ACCESS|SAMR_ACCESS_CREATE_DOMAIN|SAMR_ACCESS_INITIALIZE_SERVER|SAMR_ACCESS_SHUTDOWN_SERVER) )
+#define GENERIC_RIGHTS_SAM_EXECUTE	( (STANDARD_RIGHTS_EXECUTE_ACCESS|SAMR_ACCESS_OPEN_DOMAIN|SAMR_ACCESS_CONNECT_TO_SERVER) )
+#define SAMR_USER_ACCESS_ALL_ACCESS	( 0x000007FF )
+#define GENERIC_RIGHTS_USER_ALL_ACCESS	( (STANDARD_RIGHTS_REQUIRED_ACCESS|SAMR_USER_ACCESS_ALL_ACCESS) )
+#define GENERIC_RIGHTS_USER_READ	( (STANDARD_RIGHTS_READ_ACCESS|SAMR_USER_ACCESS_GET_GROUP_MEMBERSHIP|SAMR_USER_ACCESS_GET_GROUPS|SAMR_USER_ACCESS_GET_ATTRIBUTES|SAMR_USER_ACCESS_GET_LOGONINFO|SAMR_USER_ACCESS_GET_LOCALE) )
+#define GENERIC_RIGHTS_USER_WRITE	( (STANDARD_RIGHTS_WRITE_ACCESS|SAMR_USER_ACCESS_CHANGE_PASSWORD|SAMR_USER_ACCESS_SET_LOC_COM|SAMR_USER_ACCESS_SET_ATTRIBUTES|SAMR_USER_ACCESS_SET_PASSWORD|SAMR_USER_ACCESS_CHANGE_GROUP_MEMBERSHIP) )
+#define GENERIC_RIGHTS_USER_EXECUTE	( (STANDARD_RIGHTS_EXECUTE_ACCESS|SAMR_USER_ACCESS_CHANGE_PASSWORD|SAMR_USER_ACCESS_GET_NAME_ETC) )
 #define MAX_SAM_ENTRIES_W2K	( 0x400 )
 #define MAX_SAM_ENTRIES_W95	( 50 )
 #define SAMR_ENUM_USERS_MULTIPLIER	( 54 )
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index d5be53b09f..532392c88b 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -38,10 +38,10 @@
 
 #define SAMR_USR_RIGHTS_WRITE_PW \
 		( READ_CONTROL_ACCESS		| \
-		  SA_RIGHT_USER_CHANGE_PASSWORD	| \
-		  SA_RIGHT_USER_SET_LOC_COM )
+		  SAMR_USER_ACCESS_CHANGE_PASSWORD	| \
+		  SAMR_USER_ACCESS_SET_LOC_COM)
 #define SAMR_USR_RIGHTS_CANT_WRITE_PW \
-		( READ_CONTROL_ACCESS | SA_RIGHT_USER_SET_LOC_COM )
+		( READ_CONTROL_ACCESS | SAMR_USER_ACCESS_SET_LOC_COM )
 
 #define DISP_INFO_CACHE_TIMEOUT 10
 
@@ -91,7 +91,7 @@ static const struct generic_mapping usr_generic_mapping = {
 static const struct generic_mapping usr_nopwchange_generic_mapping = {
 	GENERIC_RIGHTS_USER_READ,
 	GENERIC_RIGHTS_USER_WRITE,
-	GENERIC_RIGHTS_USER_EXECUTE & ~SA_RIGHT_USER_CHANGE_PASSWORD,
+	GENERIC_RIGHTS_USER_EXECUTE & ~SAMR_USER_ACCESS_CHANGE_PASSWORD,
 	GENERIC_RIGHTS_USER_ALL_ACCESS};
 static const struct generic_mapping grp_generic_mapping = {
 	GENERIC_RIGHTS_GROUP_READ,
@@ -791,7 +791,7 @@ NTSTATUS _samr_SetSecurity(pipes_struct *p,
 		if (sid_equal(&pol_sid, &dacl->aces[i].trustee)) {
 			ret = pdb_set_pass_can_change(sampass,
 				(dacl->aces[i].access_mask &
-				 SA_RIGHT_USER_CHANGE_PASSWORD) ?
+				 SAMR_USER_ACCESS_CHANGE_PASSWORD) ?
 						      True: False);
 			break;
 		}
@@ -803,7 +803,7 @@ NTSTATUS _samr_SetSecurity(pipes_struct *p,
 	}
 
 	status = access_check_samr_function(acc_granted,
-					    SA_RIGHT_USER_SET_ATTRIBUTES,
+					    SAMR_USER_ACCESS_SET_ATTRIBUTES,
 					    "_samr_SetSecurity");
 	if (NT_STATUS_IS_OK(status)) {
 		become_root();
@@ -2764,7 +2764,7 @@ NTSTATUS _samr_GetGroupsForUser(pipes_struct *p,
 		return NT_STATUS_INVALID_HANDLE;
 
 	result = access_check_samr_function(acc_granted,
-					    SA_RIGHT_USER_GET_GROUPS,
+					    SAMR_USER_ACCESS_GET_GROUPS,
 					    "_samr_GetGroupsForUser");
 	if (!NT_STATUS_IS_OK(result)) {
 		return result;
@@ -4109,9 +4109,9 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
 	}
 
 	/* This is tricky.  A WinXP domain join sets
-	  (SA_RIGHT_USER_SET_PASSWORD|SA_RIGHT_USER_SET_ATTRIBUTES|SA_RIGHT_USER_ACCT_FLAGS_EXPIRY)
+	  (SAMR_USER_ACCESS_SET_PASSWORD|SAMR_USER_ACCESS_SET_ATTRIBUTES|SAMR_USER_ACCESS_GET_ATTRIBUTES)
 	  The MMC lusrmgr plugin includes these perms and more in the SamrOpenUser().  But the
-	  standard Win32 API calls just ask for SA_RIGHT_USER_SET_PASSWORD in the SamrOpenUser().
+	  standard Win32 API calls just ask for SAMR_USER_ACCESS_SET_PASSWORD in the SamrOpenUser().
 	  This should be enough for levels 18, 24, 25,& 26.  Info level 23 can set more so
 	  we'll use the set from the WinXP join as the basis. */
 
@@ -4120,12 +4120,12 @@ NTSTATUS _samr_SetUserInfo(pipes_struct *p,
 	case 24:
 	case 25:
 	case 26:
-		acc_required = SA_RIGHT_USER_SET_PASSWORD;
+		acc_required = SAMR_USER_ACCESS_SET_PASSWORD;
 		break;
 	default:
-		acc_required = SA_RIGHT_USER_SET_PASSWORD |
-			       SA_RIGHT_USER_SET_ATTRIBUTES |
-			       SA_RIGHT_USER_ACCT_FLAGS_EXPIRY;
+		acc_required = SAMR_USER_ACCESS_SET_PASSWORD |
+			       SAMR_USER_ACCESS_SET_ATTRIBUTES |
+			       SAMR_USER_ACCESS_GET_ATTRIBUTES;
 		break;
 	}
 
-- 
cgit