Added proto definition for new RPC calls.
authorJeremy Allison <jra@samba.org>
Wed, 13 Dec 2000 19:55:48 +0000 (19:55 +0000)
committerJeremy Allison <jra@samba.org>
Wed, 13 Dec 2000 19:55:48 +0000 (19:55 +0000)
Added printing fix from appliance-head.
Jeremy.
(This used to be commit f4c7f9ddb906b67ee4397e7707309356085476d1)

source3/Makefile.in
source3/include/proto.h
source3/printing/nt_printing.c

index f2579dcf5714010044fb843deefe0de9c80296a2..ff97d5f0a3869b33ccbd87c299c0ce341d3aebff 100644 (file)
@@ -331,7 +331,7 @@ SMBFILTER_OBJ = utils/smbfilter.o $(LIBSMB_OBJ) $(PARAM_OBJ) \
                  $(UBIQX_OBJ) $(LIB_OBJ)
 
 PROTO_OBJ = $(SMBD_OBJ) $(NMBD_OBJ) $(SWAT_OBJ) $(CLIENT_OBJ) \
-           $(SMBWRAPPER_OBJ) $(SMBTORTURE_OBJ) $(RPCCLIENT_OBJ1)
+           $(SMBWRAPPER_OBJ) $(SMBTORTURE_OBJ) $(RPCCLIENT_OBJ1) $(LIBMSRPC_OBJ)
 
 NSS_OBJ_0 = nsswitch/wins.o $(PARAM_OBJ) $(UBIQX_OBJ) $(LIBSMB_OBJ) $(LIB_OBJ) $(NSSWINS_OBJ)
 NSS_OBJ = $(NSS_OBJ_0:.o=.po)
index 400517b9d7bb8a5566c0160b01121f8748b4202d..1801164981127ae7aa8e0bd4426f8c1b7685ab23 100644 (file)
@@ -651,6 +651,21 @@ struct in_addr wins_srv_ip( void );
 void wins_srv_died( struct in_addr boothill_ip );
 unsigned long wins_srv_count( void );
 
+/*The following definitions come from  libsmb/cli_lsarpc.c  */
+
+struct cli_state *cli_lsa_initialise(struct cli_state *cli, char *system_name,
+                                    struct ntuser_creds *creds);
+void cli_lsa_shutdown(struct cli_state *cli);
+uint32 cli_lsa_open_policy(struct cli_state *cli, BOOL sec_qos, 
+                          uint32 des_access, POLICY_HND *hnd);
+uint32 cli_lsa_close(struct cli_state *cli, POLICY_HND *hnd);
+uint32 cli_lsa_lookup_sids(struct cli_state *cli, POLICY_HND *hnd,
+                          int num_sids, DOM_SID *sids, char ***names, 
+                          uint32 **types, int *num_names);
+uint32 cli_lsa_lookup_names(struct cli_state *cli, POLICY_HND *hnd,
+                           int num_names, char **names, DOM_SID **sids,
+                           uint32 **types, int *num_sids);
+
 /*The following definitions come from  libsmb/cliconnect.c  */
 
 BOOL cli_session_setup(struct cli_state *cli, 
index 2ad2e564ecfb131a7c8946f6cbb4320dd5a5e074..a3e4db2314bdeba7887d8caaf5fd3450f937c5ca 100644 (file)
@@ -2971,7 +2971,6 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type)
        uint32 access_granted, status, required_access = 0;
        BOOL result;
        char *pname;
-       int i;
        extern struct current_user current_user;
        
        /* If user is NULL then use the current_user structure */
@@ -3011,13 +3010,20 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type)
               Manage Documents  0x00020000  PRINTER_ACE_MANAGE_DOCUMENTS
        */
 
-       switch (access_type) {
-       case PRINTER_ACCESS_USE:
-               required_access = PRINTER_ACE_PRINT;
-               break;
-       case PRINTER_ACCESS_ADMINISTER:
-               required_access = PRINTER_ACE_MANAGE_DOCUMENTS |
-                       PRINTER_ACE_PRINT;
+    switch (access_type) {
+    case PRINTER_ACCESS_USE:
+           required_access = PRINTER_ACE_PRINT;
+           break;
+    case PRINTER_ACCESS_ADMINISTER:
+               /* 
+                * This should be set to PRINTER_ACE_FULL_CONTROL, not to
+                * (PRINTER_ACE_PRINT | PRINTER_ACE_MANAGE_DOCUMENTS).
+                * Doing the latter gives anyone with both PRINTER_ACE_PRINT
+                * and PRINTER_ACE_MANAGE_DOCUMENTS (in any combination of ACLs)
+                * full control over all printer functions.  This isn't what 
+                * we want.
+                */
+               required_access = PRINTER_ACE_FULL_CONTROL; 
                break;
        case JOB_ACCESS_ADMINISTER:
                required_access = PRINTER_ACE_MANAGE_DOCUMENTS;
@@ -3027,30 +3033,7 @@ BOOL print_access_check(struct current_user *user, int snum, int access_type)
                result = False;
                goto done;
        }       
-
-       /* The ACE for Full Control in a printer security descriptor
-          doesn't seem to map properly to the access checking model.  For
-          it to work properly it should be the logical OR of all the other
-          values, i.e PRINTER_ACE_MANAGE_DOCUMENTS | PRINTER_ACE_PRINT.
-          This would cause the access check to simply fall out when we
-          check against any subset of these bits.  To get things to work,
-          change every ACE mask of PRINTER_ACE_FULL_CONTROL to
-          PRINTER_ACE_MANAGE_DOCUMENTS | PRINTER_ACE_PRINT before
-          performing the access check.  I'm sure there is a better way to
-          do this! */
-
-       if (secdesc && secdesc->sec && secdesc->sec->dacl &&
-           secdesc->sec->dacl->ace) {
-               for(i = 0; i < secdesc->sec->dacl->num_aces; i++) {
-                       if (secdesc->sec->dacl->ace[i].info.mask ==
-                           PRINTER_ACE_FULL_CONTROL) {
-                               secdesc->sec->dacl->ace[i].info.mask =
-                                       PRINTER_ACE_MANAGE_DOCUMENTS |
-                                       PRINTER_ACE_PRINT;
-                       }
-               }
-       }
-
+       
        if ((result = se_access_check(secdesc->sec, user, required_access,
                                      &access_granted, &status))) {
                goto done;