owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
- status = smblsa_sid_check_privilege(cli,
- owner_sid,
- sec_privilege_name(SEC_PRIV_RESTORE));
+ status = torture_check_privilege(cli,
+ owner_sid,
+ sec_privilege_name(SEC_PRIV_RESTORE));
has_restore_privilege = NT_STATUS_IS_OK(status);
torture_comment(tctx, "Checked SEC_PRIV_RESTORE for %s - %s\n",
owner_sid,
has_restore_privilege?"Yes":"No");
- status = smblsa_sid_check_privilege(cli,
- owner_sid,
- sec_privilege_name(SEC_PRIV_BACKUP));
+ status = torture_check_privilege(cli,
+ owner_sid,
+ sec_privilege_name(SEC_PRIV_BACKUP));
has_backup_privilege = NT_STATUS_IS_OK(status);
torture_comment(tctx, "Checked SEC_PRIV_BACKUP for %s - %s\n",
owner_sid,
owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
- status = smblsa_sid_check_privilege(cli,
+ status = torture_check_privilege(cli,
owner_sid,
sec_privilege_name(SEC_PRIV_RESTORE));
has_restore_privilege = NT_STATUS_IS_OK(status);
if (!NT_STATUS_IS_OK(status)) {
- printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+ printf("torture_check_privilege - %s\n", nt_errstr(status));
}
printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
- status = smblsa_sid_check_privilege(cli,
+ status = torture_check_privilege(cli,
owner_sid,
sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP));
has_take_ownership_privilege = NT_STATUS_IS_OK(status);
if (!NT_STATUS_IS_OK(status)) {
- printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+ printf("torture_check_privilege - %s\n", nt_errstr(status));
}
printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No");
owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
- status = smblsa_sid_check_privilege(cli,
+ status = torture_check_privilege(cli,
owner_sid,
sec_privilege_name(SEC_PRIV_RESTORE));
has_restore_privilege = NT_STATUS_IS_OK(status);
if (!NT_STATUS_IS_OK(status)) {
- printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+ printf("torture_check_privilege - %s\n", nt_errstr(status));
}
printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
- status = smblsa_sid_check_privilege(cli,
+ status = torture_check_privilege(cli,
owner_sid,
sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP));
has_take_ownership_privilege = NT_STATUS_IS_OK(status);
if (!NT_STATUS_IS_OK(status)) {
- printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+ printf("torture_check_privilege - %s\n", nt_errstr(status));
}
printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No");
owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
- status = smblsa_sid_check_privilege(cli,
+ status = torture_check_privilege(cli,
owner_sid,
sec_privilege_name(SEC_PRIV_RESTORE));
has_restore_privilege = NT_STATUS_IS_OK(status);
if (!NT_STATUS_IS_OK(status)) {
- printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+ printf("torture_check_privilege - %s\n", nt_errstr(status));
}
printf("SEC_PRIV_RESTORE - %s\n", has_restore_privilege?"Yes":"No");
- status = smblsa_sid_check_privilege(cli,
+ status = torture_check_privilege(cli,
owner_sid,
sec_privilege_name(SEC_PRIV_TAKE_OWNERSHIP));
has_take_ownership_privilege = NT_STATUS_IS_OK(status);
if (!NT_STATUS_IS_OK(status)) {
- printf("smblsa_sid_check_privilege - %s\n", nt_errstr(status));
+ printf("torture_check_privilege - %s\n", nt_errstr(status));
}
printf("SEC_PRIV_TAKE_OWNERSHIP - %s\n", has_take_ownership_privilege?"Yes":"No");
#include "auth/credentials/credentials.h"
#include "libcli/resolve/resolve.h"
#include "param/param.h"
+#include "libcli/security/security.h"
+#include "libcli/util/clilsa.h"
/**
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
+
+/*
+ a wrapper around smblsa_sid_check_privilege, that tries to take
+ account of the fact that the lsa privileges calls don't expand
+ group memberships, using an explicit check for administrator. There
+ must be a better way ...
+ */
+NTSTATUS torture_check_privilege(struct smbcli_state *cli,
+ const char *sid_str,
+ const char *privilege)
+{
+ struct dom_sid *sid;
+ TALLOC_CTX *tmp_ctx = talloc_new(cli);
+ uint32_t rid;
+ NTSTATUS status;
+
+ sid = dom_sid_parse_talloc(tmp_ctx, sid_str);
+ if (sid == NULL) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_INVALID_SID;
+ }
+
+ status = dom_sid_split_rid(tmp_ctx, sid, NULL, &rid);
+ NT_STATUS_NOT_OK_RETURN_AND_FREE(status, tmp_ctx);
+
+ if (rid == DOMAIN_RID_ADMINISTRATOR) {
+ /* assume the administrator has them all */
+ return NT_STATUS_OK;
+ }
+
+ talloc_free(tmp_ctx);
+
+ return smblsa_sid_check_privilege(cli, sid_str, privilege);
+}