From d94d87472ca2f3875caa146424caa178ce20274f Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 13 Jan 2005 18:20:37 +0000 Subject: r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c) --- source3/include/privileges.h | 74 +++++++++++++++++++++++++++++++++++++------- 1 file changed, 63 insertions(+), 11 deletions(-) (limited to 'source3/include/privileges.h') diff --git a/source3/include/privileges.h b/source3/include/privileges.h index b7e1b44c2a..cdf62b7f85 100644 --- a/source3/include/privileges.h +++ b/source3/include/privileges.h @@ -4,6 +4,8 @@ Copyright (C) Andrew Tridgell 1992-1997 Copyright (C) Luke Kenneth Casson Leighton 1996-1997 Copyright (C) Paul Ashton 1997 + Copyright (C) Simo Sorce 2003 + Copyright (C) Gerald (Jerry) Carter 2004 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -23,22 +25,73 @@ #ifndef PRIVILEGES_H #define PRIVILEGES_H -#define PRIV_ALL_INDEX 5 +/* common privilege defines */ -#define SE_PRIV_NONE 0x0000 -#define SE_PRIV_ADD_MACHINES 0x0006 -#define SE_PRIV_SEC_PRIV 0x0008 -#define SE_PRIV_TAKE_OWNER 0x0009 -#define SE_PRIV_ADD_USERS 0xff01 -#define SE_PRIV_PRINT_OPERATOR 0xff03 -#define SE_PRIV_ALL 0xffff +#define SE_END 0x00000000 +#define SE_NONE 0x00000000 +#define SE_ALL_PRIVS 0xFFFFFFFF + +/* + * We will use our own set of privileges since it makes no sense + * to implement all of the Windows set when only a portion will + * be used. + */ + +#define SE_NETWORK_LOGON 0x00000001 +#define SE_INTERACTIVE_LOGON 0x00000002 +#define SE_BATCH_LOGON 0x00000004 +#define SE_SERVICE_LOGON 0x00000008 +#define SE_MACHINE_ACCOUNT 0x00000010 +#define SE_PRINT_OPERATOR 0x00000020 +#define SE_ADD_USERS 0x00000040 + +#if 0 /* not needed currently */ + +#define SE_ASSIGN_PRIMARY_TOKEN +#define SE_CREATE_TOKEN +#define SE_LOCK_MEMORY +#define SE_INCREASE_QUOTA +#define SE_UNSOLICITED_INPUT +#define SE_TCB +#define SE_SECURITY +#define SE_TAKE_OWNERSHIP +#define SE_LOAD_DRIVER +#define SE_SYSTEM_PROFILE +#define SE_SYSTEM_TIME +#define SE_PROF_SINGLE_PROCESS +#define SE_INC_BASE_PRIORITY +#define SE_CREATE_PAGEFILE +#define SE_CREATE_PERMANENT +#define SE_BACKUP +#define SE_RESTORE +#define SE_SHUTDOWN +#define SE_DEBUG +#define SE_AUDIT +#define SE_SYSTEM_ENVIRONMENT +#define SE_CHANGE_NOTIFY +#define SE_REMOTE_SHUTDOWN +#define SE_UNDOCK +#define SE_SYNC_AGENT +#define SE_ENABLE_DELEGATION + +#endif /* not needed currently */ + +/* + * These are used in Lsa replies (srv_lsa_nt.c) + */ #define PR_NONE 0x0000 #define PR_LOG_ON_LOCALLY 0x0001 #define PR_ACCESS_FROM_NETWORK 0x0002 #define PR_LOG_ON_BATCH_JOB 0x0004 #define PR_LOG_ON_SERVICE 0x0010 + +#ifndef _BOOL +typedef int BOOL; +#define _BOOL /* So we don't typedef BOOL again in vfs.h */ +#endif + typedef struct LUID { uint32 low; @@ -49,7 +102,7 @@ typedef struct LUID_ATTR { LUID luid; uint32 attr; -} LUID_ATTR ; +} LUID_ATTR; typedef struct privilege_set { @@ -62,9 +115,8 @@ typedef struct privilege_set typedef struct _PRIVS { uint32 se_priv; - const char *priv; + const char *name; const char *description; } PRIVS; - #endif /* PRIVILEGES_H */ -- cgit