From d94d87472ca2f3875caa146424caa178ce20274f Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 13 Jan 2005 18:20:37 +0000 Subject: r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c) --- source3/auth/auth_util.c | 54 ++++++++++++++++++++++++++++++++++-------------- 1 file changed, 39 insertions(+), 15 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 98ecd00d1c..e4793c3df3 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -493,6 +493,11 @@ void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token) for (i = 0; i < token->num_sids; i++) DEBUGADDC(dbg_class, dbg_lev, ("SID[%3lu]: %s\n", (unsigned long)i, sid_to_string(sid_str, &token->user_sids[i]))); + + DEBUGADDC(dbg_class, dbg_lev, ("Privileges: [%d]\n", token->privileges.count)); + for ( i=0; iprivileges.count; i++ ) { + DEBUGADDC(dbg_class, dbg_lev, ("\t%s\n", luid_to_privilege_name(&token->privileges.set[i].luid) )); + } } /**************************************************************************** @@ -583,6 +588,13 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro ptoken->num_sids--; } } + + /* add privileges assigned to this user */ + + privilege_set_init( &ptoken->privileges ); + + get_privileges_for_sids( &ptoken->privileges, ptoken->user_sids, ptoken->num_sids ); + debug_nt_user_token(DBGC_AUTH, 10, ptoken); @@ -1410,12 +1422,15 @@ BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_me void delete_nt_token(NT_USER_TOKEN **pptoken) { - if (*pptoken) { - NT_USER_TOKEN *ptoken = *pptoken; - SAFE_FREE( ptoken->user_sids ); - ZERO_STRUCTP(ptoken); - } - SAFE_FREE(*pptoken); + if (*pptoken) { + NT_USER_TOKEN *ptoken = *pptoken; + + SAFE_FREE( ptoken->user_sids ); + privilege_set_free( &ptoken->privileges ); + + ZERO_STRUCTP(ptoken); + } + SAFE_FREE(*pptoken); } /**************************************************************************** @@ -1429,17 +1444,26 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) if (!ptoken) return NULL; - if ((token = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL) - return NULL; - - ZERO_STRUCTP(token); + if ((token = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL) + return NULL; - if ((token->user_sids = (DOM_SID *)memdup( ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids )) == NULL) { - SAFE_FREE(token); - return NULL; - } + ZERO_STRUCTP(token); + + token->user_sids = (DOM_SID *)memdup( ptoken->user_sids, sizeof(DOM_SID) * ptoken->num_sids ); + + if ( !token ) { + SAFE_FREE(token); + return NULL; + } - token->num_sids = ptoken->num_sids; + token->num_sids = ptoken->num_sids; + + /* copy the privileges; don't consider failure to be critical here */ + + privilege_set_init( &token->privileges); + if ( !dup_privilege_set( &token->privileges, &ptoken->privileges ) ) { + DEBUG(0,("dup_nt_token: Failure to copy PRIVILEGE_SET!. Continuing with 0 privileges assigned.\n")); + } return token; } -- cgit