From d94d87472ca2f3875caa146424caa178ce20274f Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 13 Jan 2005 18:20:37 +0000 Subject: r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c) --- source3/lib/account_pol.c | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) (limited to 'source3/lib/account_pol.c') diff --git a/source3/lib/account_pol.c b/source3/lib/account_pol.c index c62396c22d..72d6e77ddd 100644 --- a/source3/lib/account_pol.c +++ b/source3/lib/account_pol.c @@ -20,10 +20,18 @@ */ #include "includes.h" -static TDB_CONTEXT *tdb; /* used for driver files */ +static TDB_CONTEXT *tdb; #define DATABASE_VERSION 2 +extern DOM_SID global_sid_World; +extern DOM_SID global_sid_Builtin_Administrators; +extern DOM_SID global_sid_Builtin_Account_Operators; +extern DOM_SID global_sid_Builtin_Server_Operators; +extern DOM_SID global_sid_Builtin_Print_Operators; +extern DOM_SID global_sid_Builtin_Backup_Operators; + + /**************************************************************************** Set default for a field if it is empty ****************************************************************************/ @@ -91,6 +99,15 @@ BOOL init_account_policy(void) } tdb_unlock_bystring(tdb, vstring); + /* These exist by default on NT4 in [HKLM\SECURITY\Policy\Accounts] */ + + privilege_create_account( &global_sid_World ); + privilege_create_account( &global_sid_Builtin_Administrators ); + privilege_create_account( &global_sid_Builtin_Account_Operators ); + privilege_create_account( &global_sid_Builtin_Server_Operators ); + privilege_create_account( &global_sid_Builtin_Print_Operators ); + privilege_create_account( &global_sid_Builtin_Backup_Operators ); + return True; } @@ -218,3 +235,18 @@ BOOL account_policy_set(int field, uint32 value) return True; } + +/**************************************************************************** +****************************************************************************/ + +TDB_CONTEXT *get_account_pol_tdb( void ) +{ + + if ( !tdb ) { + if ( !init_account_policy() ) + return NULL; + } + + return tdb; +} + -- cgit