From d94d87472ca2f3875caa146424caa178ce20274f Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 13 Jan 2005 18:20:37 +0000 Subject: r4724: Add support for Windows privileges in Samba 3.0 (based on Simo's code in trunk). Rewritten with the following changes: * privilege set is based on a 32-bit mask instead of strings (plans are to extend this to a 64 or 128-bit mask before the next 3.0.11preX release). * Remove the privilege code from the passdb API (replication to come later) * Only support the minimum amount of privileges that make sense. * Rewrite the domain join checks to use the SeMachineAccountPrivilege instead of the 'is a member of "Domain Admins"?' check that started all this. Still todo: * Utilize the SePrintOperatorPrivilege in addition to the 'printer admin' parameter * Utilize the SeAddUserPrivilege for adding users and groups * Fix some of the hard coded _lsa_*() calls * Start work on enough of SAM replication to get privileges from one Samba DC to another. * Come up with some management tool for manipultaing privileges instead of user manager since it is buggy when run on a 2k client (haven't tried xp). Works ok on NT4. (This used to be commit 77c10ff9aa6414a31eece6dfec00793f190a9d6c) --- source3/rpc_parse/parse_lsa.c | 81 ++++++++++++++++++++++++++++++++++++------- 1 file changed, 69 insertions(+), 12 deletions(-) (limited to 'source3/rpc_parse') diff --git a/source3/rpc_parse/parse_lsa.c b/source3/rpc_parse/parse_lsa.c index e2cb94c8fe..20ccc39ce0 100644 --- a/source3/rpc_parse/parse_lsa.c +++ b/source3/rpc_parse/parse_lsa.c @@ -1650,6 +1650,61 @@ BOOL lsa_io_r_unk_get_connuser(const char *desc, LSA_R_UNK_GET_CONNUSER *r_c, pr return True; } +void init_lsa_q_create_account(LSA_Q_CREATEACCOUNT *trn, POLICY_HND *hnd, DOM_SID *sid, uint32 desired_access) +{ + memcpy(&trn->pol, hnd, sizeof(trn->pol)); + + init_dom_sid2(&trn->sid, sid); + trn->access = desired_access; +} + + +/******************************************************************* + Reads or writes an LSA_Q_CREATEACCOUNT structure. +********************************************************************/ + +BOOL lsa_io_q_create_account(const char *desc, LSA_Q_CREATEACCOUNT *r_c, prs_struct *ps, int depth) +{ + prs_debug(ps, depth, desc, "lsa_io_q_create_account"); + depth++; + + if(!prs_align(ps)) + return False; + + if(!smb_io_pol_hnd("pol", &r_c->pol, ps, depth)) + return False; + + if(!smb_io_dom_sid2("sid", &r_c->sid, ps, depth)) /* domain SID */ + return False; + + if(!prs_uint32("access", ps, depth, &r_c->access)) + return False; + + return True; +} + +/******************************************************************* + Reads or writes an LSA_R_CREATEACCOUNT structure. +********************************************************************/ + +BOOL lsa_io_r_create_account(const char *desc, LSA_R_CREATEACCOUNT *r_c, prs_struct *ps, int depth) +{ + prs_debug(ps, depth, desc, "lsa_io_r_open_account"); + depth++; + + if(!prs_align(ps)) + return False; + + if(!smb_io_pol_hnd("pol", &r_c->pol, ps, depth)) + return False; + + if(!prs_ntstatus("status", ps, depth, &r_c->status)) + return False; + + return True; +} + + void init_lsa_q_open_account(LSA_Q_OPENACCOUNT *trn, POLICY_HND *hnd, DOM_SID *sid, uint32 desired_access) { memcpy(&trn->pol, hnd, sizeof(trn->pol)); @@ -1804,13 +1859,15 @@ NTSTATUS init_lsa_r_enum_privsaccount(TALLOC_CTX *mem_ctx, LSA_R_ENUMPRIVSACCOUN r_u->ptr = 1; r_u->count = count; - if (!NT_STATUS_IS_OK(ret = init_priv_with_ctx(mem_ctx, &(r_u->set)))) + if ( !NT_STATUS_IS_OK(ret = privilege_set_init_by_ctx(mem_ctx, &(r_u->set))) ) return ret; - if (!NT_STATUS_IS_OK(ret = dupalloc_luid_attr(r_u->set->mem_ctx, &(r_u->set->set), set))) + r_u->set.count = count; + + if (!NT_STATUS_IS_OK(ret = dup_luid_attr(r_u->set.mem_ctx, &(r_u->set.set), set, count))) return ret; - DEBUG(10,("init_lsa_r_enum_privsaccount: %d %d privileges\n", r_u->count, r_u->set->count)); + DEBUG(10,("init_lsa_r_enum_privsaccount: %d privileges\n", r_u->count)); return ret; } @@ -1837,15 +1894,15 @@ BOOL lsa_io_r_enum_privsaccount(const char *desc, LSA_R_ENUMPRIVSACCOUNT *r_c, p /* malloc memory if unmarshalling here */ if (UNMARSHALLING(ps) && r_c->count != 0) { - if (!NT_STATUS_IS_OK(init_priv_with_ctx(ps->mem_ctx, &(r_c->set)))) + if (!NT_STATUS_IS_OK(privilege_set_init_by_ctx(ps->mem_ctx, &(r_c->set)))) return False; - if (!(r_c->set->set = PRS_ALLOC_MEM(ps,LUID_ATTR,r_c->count))) + if (!(r_c->set.set = PRS_ALLOC_MEM(ps,LUID_ATTR,r_c->count))) return False; } - if(!lsa_io_privilege_set(desc, r_c->set, ps, depth)) + if(!lsa_io_privilege_set(desc, &r_c->set, ps, depth)) return False; } @@ -2007,14 +2064,14 @@ BOOL lsa_io_q_addprivs(const char *desc, LSA_Q_ADDPRIVS *r_c, prs_struct *ps, in return False; if (UNMARSHALLING(ps) && r_c->count!=0) { - if (!NT_STATUS_IS_OK(init_priv_with_ctx(ps->mem_ctx, &(r_c->set)))) + if (!NT_STATUS_IS_OK(privilege_set_init_by_ctx(ps->mem_ctx, &(r_c->set)))) return False; - if (!(r_c->set->set = PRS_ALLOC_MEM(ps, LUID_ATTR, r_c->count))) + if (!(r_c->set.set = PRS_ALLOC_MEM(ps, LUID_ATTR, r_c->count))) return False; } - if(!lsa_io_privilege_set(desc, r_c->set, ps, depth)) + if(!lsa_io_privilege_set(desc, &r_c->set, ps, depth)) return False; return True; @@ -2069,14 +2126,14 @@ BOOL lsa_io_q_removeprivs(const char *desc, LSA_Q_REMOVEPRIVS *r_c, prs_struct * return False; if (UNMARSHALLING(ps) && r_c->count!=0) { - if (!NT_STATUS_IS_OK(init_priv_with_ctx(ps->mem_ctx, &(r_c->set)))) + if (!NT_STATUS_IS_OK(privilege_set_init_by_ctx(ps->mem_ctx, &(r_c->set)))) return False; - if (!(r_c->set->set = PRS_ALLOC_MEM(ps, LUID_ATTR, r_c->count))) + if (!(r_c->set.set = PRS_ALLOC_MEM(ps, LUID_ATTR, r_c->count))) return False; } - if(!lsa_io_privilege_set(desc, r_c->set, ps, depth)) + if(!lsa_io_privilege_set(desc, &r_c->set, ps, depth)) return False; } -- cgit