sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-08-02 00:22:11 +03:00
Code Activity

r4724: Add support for Windows privileges in Samba 3.0

Browse Source 
(based on Simo's code in trunk).  Rewritten with the
following changes:

* privilege set is based on a 32-bit mask instead of strings
  (plans are to extend this to a 64 or 128-bit mask before
   the next 3.0.11preX release).
* Remove the privilege code from the passdb API
  (replication to come later)
* Only support the minimum amount of privileges that make
  sense.
* Rewrite the domain join checks to use the SeMachineAccountPrivilege
  instead of the 'is a member of "Domain Admins"?' check that started
  all this.

Still todo:

* Utilize the SePrintOperatorPrivilege in addition to the 'printer admin'
  parameter
* Utilize the SeAddUserPrivilege for adding users and groups
* Fix some of the hard coded _lsa_*() calls
* Start work on enough of SAM replication to get privileges from one
  Samba DC to another.
* Come up with some management tool for manipultaing privileges
  instead of user manager since it is buggy when run on a 2k client
  (haven't tried xp).  Works ok on NT4.
This commit is contained in:
Gerald Carter
2005-01-13 18:20:37 +00:00
committed by Gerald (Jerry) Carter
parent dddd572646
commit 77c10ff9aa
18 changed files with 971 additions and 859 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
source/rpc_parse/parse_lsa.c
View File

@ -1650,6 +1650,61 @@ BOOL lsa_io_r_unk_get_connuser(const char *desc, LSA_R_UNK_GET_CONNUSER *r_c, pr
return True;
}
void init_lsa_q_create_account(LSA_Q_CREATEACCOUNT *trn, POLICY_HND *hnd, DOM_SID *sid, uint32 desired_access)
{
memcpy(&trn->pol, hnd, sizeof(trn->pol));
init_dom_sid2(&trn->sid, sid);
trn->access = desired_access;
}
/*******************************************************************
Reads or writes an LSA_Q_CREATEACCOUNT structure.
********************************************************************/
BOOL lsa_io_q_create_account(const char *desc, LSA_Q_CREATEACCOUNT *r_c, prs_struct *ps, int depth)
{
prs_debug(ps, depth, desc, "lsa_io_q_create_account");
depth++;
if(!prs_align(ps))
return False;
if(!smb_io_pol_hnd("pol", &r_c->pol, ps, depth))
return False;
if(!smb_io_dom_sid2("sid", &r_c->sid, ps, depth)) /* domain SID */
return False;
if(!prs_uint32("access", ps, depth, &r_c->access))
return False;
return True;
}
/*******************************************************************
Reads or writes an LSA_R_CREATEACCOUNT structure.
********************************************************************/
BOOL lsa_io_r_create_account(const char *desc, LSA_R_CREATEACCOUNT *r_c, prs_struct *ps, int depth)
{
prs_debug(ps, depth, desc, "lsa_io_r_open_account");
depth++;
if(!prs_align(ps))
return False;
if(!smb_io_pol_hnd("pol", &r_c->pol, ps, depth))
return False;
if(!prs_ntstatus("status", ps, depth, &r_c->status))
return False;
return True;
}
void init_lsa_q_open_account(LSA_Q_OPENACCOUNT *trn, POLICY_HND *hnd, DOM_SID *sid, uint32 desired_access)
{
memcpy(&trn->pol, hnd, sizeof(trn->pol));
@ -1804,13 +1859,15 @@ NTSTATUS init_lsa_r_enum_privsaccount(TALLOC_CTX *mem_ctx, LSA_R_ENUMPRIVSACCOUN
r_u->ptr = 1;
r_u->count = count;
if (!NT_STATUS_IS_OK(ret = init_priv_with_ctx(mem_ctx, &(r_u->set))))
if ( !NT_STATUS_IS_OK(ret = privilege_set_init_by_ctx(mem_ctx, &(r_u->set))) )
return ret;
if (!NT_STATUS_IS_OK(ret = dupalloc_luid_attr(r_u->set->mem_ctx, &(r_u->set->set), set)))
r_u->set.count = count;
if (!NT_STATUS_IS_OK(ret = dup_luid_attr(r_u->set.mem_ctx, &(r_u->set.set), set, count)))
return ret;
DEBUG(10,("init_lsa_r_enum_privsaccount: %d %d privileges\n", r_u->count, r_u->set->count));
DEBUG(10,("init_lsa_r_enum_privsaccount: %d privileges\n", r_u->count));
return ret;
}
@ -1837,15 +1894,15 @@ BOOL lsa_io_r_enum_privsaccount(const char *desc, LSA_R_ENUMPRIVSACCOUNT *r_c, p
/* malloc memory if unmarshalling here */
if (UNMARSHALLING(ps) && r_c->count != 0) {
if (!NT_STATUS_IS_OK(init_priv_with_ctx(ps->mem_ctx, &(r_c->set))))
if (!NT_STATUS_IS_OK(privilege_set_init_by_ctx(ps->mem_ctx, &(r_c->set))))
return False;
if (!(r_c->set->set = PRS_ALLOC_MEM(ps,LUID_ATTR,r_c->count)))
if (!(r_c->set.set = PRS_ALLOC_MEM(ps,LUID_ATTR,r_c->count)))
return False;
}
if(!lsa_io_privilege_set(desc, r_c->set, ps, depth))
if(!lsa_io_privilege_set(desc, &r_c->set, ps, depth))
return False;
}
@ -2007,14 +2064,14 @@ BOOL lsa_io_q_addprivs(const char *desc, LSA_Q_ADDPRIVS *r_c, prs_struct *ps, in
return False;
if (UNMARSHALLING(ps) && r_c->count!=0) {
if (!NT_STATUS_IS_OK(init_priv_with_ctx(ps->mem_ctx, &(r_c->set))))
if (!NT_STATUS_IS_OK(privilege_set_init_by_ctx(ps->mem_ctx, &(r_c->set))))
return False;
if (!(r_c->set->set = PRS_ALLOC_MEM(ps, LUID_ATTR, r_c->count)))
if (!(r_c->set.set = PRS_ALLOC_MEM(ps, LUID_ATTR, r_c->count)))
return False;
}
if(!lsa_io_privilege_set(desc, r_c->set, ps, depth))
if(!lsa_io_privilege_set(desc, &r_c->set, ps, depth))
return False;
return True;
@ -2069,14 +2126,14 @@ BOOL lsa_io_q_removeprivs(const char *desc, LSA_Q_REMOVEPRIVS *r_c, prs_struct *
return False;
if (UNMARSHALLING(ps) && r_c->count!=0) {
if (!NT_STATUS_IS_OK(init_priv_with_ctx(ps->mem_ctx, &(r_c->set))))
if (!NT_STATUS_IS_OK(privilege_set_init_by_ctx(ps->mem_ctx, &(r_c->set))))
return False;
if (!(r_c->set->set = PRS_ALLOC_MEM(ps, LUID_ATTR, r_c->count)))
if (!(r_c->set.set = PRS_ALLOC_MEM(ps, LUID_ATTR, r_c->count)))
return False;
}
if(!lsa_io_privilege_set(desc, r_c->set, ps, depth))
if(!lsa_io_privilege_set(desc, &r_c->set, ps, depth))
return False;
}