From 00845002a60b541e290aee40626af4b5d522f553 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 23 Jan 2008 13:55:13 -0800 Subject: [PATCH] Version of Matt Geddes patch for adding acct_flags to rpccli_samr_create_dom_user(). Jerry please test. Jeremy. --- source/include/rpc_samr.h | 27 ++++++++++++++++++++++++++- source/libmsrpc/cac_samr.c | 12 ++++++++---- source/python/py_samr.c | 9 +++++++-- source/rpc_parse/parse_samr.c | 6 +++--- source/rpcclient/cmd_samr.c | 11 +++++++---- source/utils/net_domain.c | 8 +++++++- source/utils/net_rpc.c | 22 +++++++++++++++------- source/utils/net_rpc_join.c | 8 +++++++- 8 files changed, 80 insertions(+), 23 deletions(-) diff --git a/source/include/rpc_samr.h b/source/include/rpc_samr.h index 575cd78ef2f..a7a9660c7ff 100644 --- a/source/include/rpc_samr.h +++ b/source/include/rpc_samr.h @@ -146,6 +146,31 @@ SamrTestPrivateFunctionsUser #define SAMR_CHGPASSWD_USER3 0x3F #define SAMR_CONNECT5 0x40 +/* SAMR account creation flags/permissions */ +#define SAMR_USER_GETNAME 0x1 +#define SAMR_USER_GETLOCALE 0x2 +#define SAMR_USER_GETLOCCOM 0x4 +#define SAMR_USER_GETLOGONINFO 0x8 +#define SAMR_USER_GETATTR 0x10 +#define SAMR_USER_SETATTR 0x20 +#define SAMR_USER_CHPASS 0x40 +#define SAMR_USER_SETPASS 0x80 +#define SAMR_USER_GETGROUPS 0x100 +#define SAMR_USER_GETMEMBERSHIP 0x200 +#define SAMR_USER_CHMEMBERSHIP 0x400 +#define SAMR_STANDARD_DELETE 0x10000 +#define SAMR_STANDARD_READCTRL 0x20000 +#define SAMR_STANDARD_WRITEDAC 0x40000 +#define SAMR_STANDARD_WRITEOWNER 0x80000 +#define SAMR_STANDARD_SYNC 0x100000 +#define SAMR_GENERIC_ACCESSSACL 0x800000 +#define SAMR_GENERIC_MAXALLOWED 0x2000000 +#define SAMR_GENERIC_ALL 0x10000000 +#define SAMR_GENERIC_EXECUTE 0x20000000 +#define SAMR_GENERIC_WRITE 0x40000000 +#define SAMR_GENERIC_READ 0x80000000 + + typedef struct logon_hours_info { uint32 max_len; /* normally 1260 bytes */ @@ -1557,7 +1582,7 @@ typedef struct q_samr_create_user_info UNISTR2 uni_name; /* unicode account name */ uint32 acb_info; /* account control info */ - uint32 access_mask; /* 0xe005 00b0 */ + uint32 acct_flags; /* 0xe005 00b0 */ } SAMR_Q_CREATE_USER; diff --git a/source/libmsrpc/cac_samr.c b/source/libmsrpc/cac_samr.c index 4d3acc85e3a..dd9e2c28dba 100644 --- a/source/libmsrpc/cac_samr.c +++ b/source/libmsrpc/cac_samr.c @@ -365,9 +365,7 @@ int cac_SamCreateUser( CacServerHandle * hnd, TALLOC_CTX * mem_ctx, POLICY_HND *user_out = NULL; uint32 rid_out; - - /**found in rpcclient/cmd_samr.c*/ - uint32 unknown = 0xe005000b; + uint32 acct_flags=0; if ( !hnd ) return CAC_FAILURE; @@ -395,10 +393,16 @@ int cac_SamCreateUser( CacServerHandle * hnd, TALLOC_CTX * mem_ctx, return CAC_FAILURE; } + acct_flags = SAMR_GENERIC_READ | SAMR_GENERIC_WRITE | + SAMR_GENERIC_EXECUTE | SAMR_STANDARD_WRITEDAC | + SAMR_STANDARD_DELETE | SAMR_USER_SETPASS | SAMR_USER_GETATTR | + SAMR_USER_SETATTR; + DEBUG(10, ("Creating account with flags: %d\n",acct_flags)); + hnd->status = rpccli_samr_create_dom_user( pipe_hnd, mem_ctx, op->in.dom_hnd, op->in.name, - op->in.acb_mask, unknown, + op->in.acb_mask, acct_flags, user_out, &rid_out ); if ( !NT_STATUS_IS_OK( hnd->status ) ) diff --git a/source/python/py_samr.c b/source/python/py_samr.c index fced5b3ddd8..e2600bc3f6f 100644 --- a/source/python/py_samr.c +++ b/source/python/py_samr.c @@ -463,7 +463,7 @@ static PyObject *samr_create_dom_user(PyObject *self, PyObject *args, static char *kwlist[] = { "account_name", "acb_info", NULL }; char *account_name; NTSTATUS ntstatus; - uint32 unknown = 0xe005000b; /* Access mask? */ + uint32 acct_flags = 0; uint32 user_rid; PyObject *result = NULL; TALLOC_CTX *mem_ctx; @@ -479,9 +479,14 @@ static PyObject *samr_create_dom_user(PyObject *self, PyObject *args, return NULL; } + acct_flags = SAMR_GENERIC_READ | SAMR_GENERIC_WRITE | + SAMR_GENERIC_EXECUTE | SAMR_STANDARD_WRITEDAC | + SAMR_STANDARD_DELETE | SAMR_USER_SETPASS | SAMR_USER_GETATTR | + SAMR_USER_SETATTR; + DEBUG(10, ("Creating account with flags: %d\n",acct_flags)); ntstatus = rpccli_samr_create_dom_user( domain_hnd->cli, mem_ctx, &domain_hnd->domain_pol, - account_name, acb_info, unknown, &user_pol, &user_rid); + account_name, acb_info, acct_flags, &user_pol, &user_rid); if (!NT_STATUS_IS_OK(ntstatus)) { PyErr_SetObject(samr_ntstatus, py_ntstatus_tuple(ntstatus)); diff --git a/source/rpc_parse/parse_samr.c b/source/rpc_parse/parse_samr.c index 4410348abee..0d83e454ef2 100644 --- a/source/rpc_parse/parse_samr.c +++ b/source/rpc_parse/parse_samr.c @@ -5182,7 +5182,7 @@ reads or writes a structure. void init_samr_q_create_user(SAMR_Q_CREATE_USER * q_u, POLICY_HND *pol, const char *name, - uint32 acb_info, uint32 access_mask) + uint32 acb_info, uint32 acct_flags) { DEBUG(5, ("samr_init_samr_q_create_user\n")); @@ -5192,7 +5192,7 @@ void init_samr_q_create_user(SAMR_Q_CREATE_USER * q_u, init_uni_hdr(&q_u->hdr_name, &q_u->uni_name); q_u->acb_info = acb_info; - q_u->access_mask = access_mask; + q_u->acct_flags = acct_flags; } /******************************************************************* @@ -5223,7 +5223,7 @@ BOOL samr_io_q_create_user(const char *desc, SAMR_Q_CREATE_USER * q_u, return False; if(!prs_uint32("acb_info ", ps, depth, &q_u->acb_info)) return False; - if(!prs_uint32("access_mask", ps, depth, &q_u->access_mask)) + if(!prs_uint32("acct_flags", ps, depth, &q_u->acct_flags)) return False; return True; diff --git a/source/rpcclient/cmd_samr.c b/source/rpcclient/cmd_samr.c index dd55e65fb97..8487d2b8c76 100644 --- a/source/rpcclient/cmd_samr.c +++ b/source/rpcclient/cmd_samr.c @@ -1450,7 +1450,7 @@ static NTSTATUS cmd_samr_create_dom_user(struct rpc_pipe_client *cli, NTSTATUS result = NT_STATUS_UNSUCCESSFUL; const char *acct_name; uint32 acb_info; - uint32 unknown, user_rid; + uint32 acct_flags, user_rid; uint32 access_mask = MAXIMUM_ALLOWED_ACCESS; if ((argc < 2) || (argc > 3)) { @@ -1483,10 +1483,13 @@ static NTSTATUS cmd_samr_create_dom_user(struct rpc_pipe_client *cli, /* Create domain user */ acb_info = ACB_NORMAL; - unknown = 0xe005000b; /* No idea what this is - a permission mask? */ - + acct_flags = SAMR_GENERIC_READ | SAMR_GENERIC_WRITE | + SAMR_GENERIC_EXECUTE | SAMR_STANDARD_WRITEDAC | + SAMR_STANDARD_DELETE | SAMR_USER_SETPASS | SAMR_USER_GETATTR | + SAMR_USER_SETATTR; + DEBUG(10, ("Creating account with flags: %d\n",acct_flags)); result = rpccli_samr_create_dom_user(cli, mem_ctx, &domain_pol, - acct_name, acb_info, unknown, + acct_name, acb_info, acct_flags, &user_pol, &user_rid); if (!NT_STATUS_IS_OK(result)) diff --git a/source/utils/net_domain.c b/source/utils/net_domain.c index 5b330d8765c..ac7e0dad733 100644 --- a/source/utils/net_domain.c +++ b/source/utils/net_domain.c @@ -209,6 +209,7 @@ NTSTATUS netdom_join_domain( TALLOC_CTX *mem_ctx, struct cli_state *cli, uint32 num_rids, *name_types, *user_rids; uint32 flags = 0x3e8; uint32 acb_info = ACB_WSTRUST; + uint32 acct_flags=0; uchar pwbuf[516]; SAM_USERINFO_CTR ctr; SAM_USER_INFO_24 p24; @@ -242,8 +243,13 @@ NTSTATUS netdom_join_domain( TALLOC_CTX *mem_ctx, struct cli_state *cli, /* Don't try to set any acb_info flags other than ACB_WSTRUST */ + acct_flags = SAMR_GENERIC_READ | SAMR_GENERIC_WRITE | + SAMR_GENERIC_EXECUTE | SAMR_STANDARD_WRITEDAC | + SAMR_STANDARD_DELETE | SAMR_USER_SETPASS | SAMR_USER_GETATTR | + SAMR_USER_SETATTR; + DEBUG(10, ("Creating account with flags: %d\n",acct_flags)); status = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol, - acct_name, acb_info, 0xe005000b, &user_pol, &user_rid); + acct_name, acb_info, acct_flags, &user_pol, &user_rid); if ( !NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_USER_EXISTS)) diff --git a/source/utils/net_rpc.c b/source/utils/net_rpc.c index fee994b7519..1a3de4f5beb 100644 --- a/source/utils/net_rpc.c +++ b/source/utils/net_rpc.c @@ -581,7 +581,8 @@ static NTSTATUS rpc_user_add_internals(const DOM_SID *domain_sid, NTSTATUS result = NT_STATUS_UNSUCCESSFUL; const char *acct_name; uint32 acb_info; - uint32 unknown, user_rid; + uint32 acct_flags=0; + uint32 user_rid; if (argc < 1) { d_printf("User must be specified\n"); @@ -611,10 +612,14 @@ static NTSTATUS rpc_user_add_internals(const DOM_SID *domain_sid, /* Create domain user */ acb_info = ACB_NORMAL; - unknown = 0xe005000b; /* No idea what this is - a permission mask? */ + acct_flags = SAMR_GENERIC_READ | SAMR_GENERIC_WRITE | + SAMR_GENERIC_EXECUTE | SAMR_STANDARD_WRITEDAC | + SAMR_STANDARD_DELETE | SAMR_USER_SETPASS | SAMR_USER_GETATTR | + SAMR_USER_SETATTR; + DEBUG(10, ("Creating account with flags: %d\n",acct_flags)); result = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol, - acct_name, acb_info, unknown, + acct_name, acb_info, acct_flags, &user_pol, &user_rid); if (!NT_STATUS_IS_OK(result)) { goto done; @@ -5335,7 +5340,8 @@ static NTSTATUS rpc_trustdom_add_internals(const DOM_SID *domain_sid, NTSTATUS result = NT_STATUS_UNSUCCESSFUL; char *acct_name; uint32 acb_info; - uint32 unknown, user_rid; + uint32 user_rid; + uint32 acct_flags=0; if (argc != 2) { d_printf("Usage: net rpc trustdom add \n"); @@ -5369,11 +5375,13 @@ static NTSTATUS rpc_trustdom_add_internals(const DOM_SID *domain_sid, /* Create trusting domain's account */ acb_info = ACB_NORMAL; - unknown = 0xe00500b0; /* No idea what this is - a permission mask? - mimir: yes, most probably it is */ + acct_flags = SAMR_GENERIC_READ | SAMR_GENERIC_WRITE | + SAMR_GENERIC_EXECUTE | SAMR_STANDARD_WRITEDAC | + SAMR_STANDARD_DELETE | SAMR_USER_SETPASS | SAMR_USER_GETATTR | + SAMR_USER_SETATTR; result = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol, - acct_name, acb_info, unknown, + acct_name, acb_info, acct_flags, &user_pol, &user_rid); if (!NT_STATUS_IS_OK(result)) { goto done; diff --git a/source/utils/net_rpc_join.c b/source/utils/net_rpc_join.c index d23bd767519..d2c25eb54e5 100644 --- a/source/utils/net_rpc_join.c +++ b/source/utils/net_rpc_join.c @@ -142,6 +142,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) uint32 flags = 0x3e8; char *acct_name; const char *const_acct_name; + uint32 acct_flags=0; /* check what type of join */ if (argc >= 0) { @@ -229,9 +230,14 @@ int net_rpc_join_newstyle(int argc, const char **argv) strlower_m(acct_name); const_acct_name = acct_name; + acct_flags = SAMR_GENERIC_READ | SAMR_GENERIC_WRITE | + SAMR_GENERIC_EXECUTE | SAMR_STANDARD_WRITEDAC | + SAMR_STANDARD_DELETE | SAMR_USER_SETPASS | SAMR_USER_GETATTR | + SAMR_USER_SETATTR; + DEBUG(10, ("Creating account with flags: %d\n",acct_flags)); result = rpccli_samr_create_dom_user(pipe_hnd, mem_ctx, &domain_pol, acct_name, acb_info, - 0xe005000b, &user_pol, + acct_flags, &user_pol, &user_rid); if (!NT_STATUS_IS_OK(result) &&