sddl: Add new SDDL SID strings

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c
index 046a9284f5ea48462989b9c5e43640d0b3cebfa5..5f7d70be9803df01748c99d886c4d96ca7689d9c 100644 (file)
--- a/libcli/security/sddl.c
+++ b/libcli/security/sddl.c
@@ -92,6 +92,7 @@ static const struct {
 
        { .code = "CO", .sid = SID_CREATOR_OWNER },
        { .code = "CG", .sid = SID_CREATOR_GROUP },
+       { .code = "OW", .sid = SID_OWNER_RIGHTS },
 
        { .code = "NU", .sid = SID_NT_NETWORK },
        { .code = "IU", .sid = SID_NT_INTERACTIVE },
@@ -104,6 +105,7 @@ static const struct {
        { .code = "SY", .sid = SID_NT_SYSTEM },
        { .code = "LS", .sid = SID_NT_LOCAL_SERVICE },
        { .code = "NS", .sid = SID_NT_NETWORK_SERVICE },
+       { .code = "WR", .sid = SID_SECURITY_RESTRICTED_CODE },
 
        { .code = "BA", .sid = SID_BUILTIN_ADMINISTRATORS },
        { .code = "BU", .sid = SID_BUILTIN_USERS },
@@ -120,8 +122,31 @@ static const struct {
        { .code = "NO", .sid = SID_BUILTIN_NETWORK_CONF_OPERATORS },
        { .code = "IF", .sid = SID_BUILTIN_INCOMING_FOREST_TRUST },
 
+       { .code = "MU", .sid = SID_BUILTIN_PERFMON_USERS },
+       { .code = "LU", .sid = SID_BUILTIN_PERFLOG_USERS },
        { .code = "IS", .sid = SID_BUILTIN_IUSERS },
+       { .code = "CY", .sid = SID_BUILTIN_CRYPTO_OPERATORS },
        { .code = "ER", .sid = SID_BUILTIN_EVENT_LOG_READERS },
+       { .code = "CD", .sid = SID_BUILTIN_CERT_SERV_DCOM_ACCESS },
+       { .code = "RA", .sid = SID_BUILTIN_RDS_REMOTE_ACCESS_SERVERS },
+       { .code = "ES", .sid = SID_BUILTIN_RDS_ENDPOINT_SERVERS },
+       { .code = "MS", .sid = SID_BUILTIN_RDS_MANAGEMENT_SERVERS },
+       { .code = "HA", .sid = SID_BUILTIN_HYPER_V_ADMINS },
+       { .code = "AA", .sid = SID_BUILTIN_ACCESS_CONTROL_ASSISTANCE_OPS },
+       { .code = "RM", .sid = SID_BUILTIN_REMOTE_MANAGEMENT_USERS },
+
+       { .code = "UD", .sid = SID_USER_MODE_DRIVERS },
+
+       { .code = "AC", .sid = SID_SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE },
+
+       { .code = "LW", .sid = SID_SECURITY_MANDATORY_LOW },
+       { .code = "ME", .sid = SID_SECURITY_MANDATORY_MEDIUM },
+       { .code = "MP", .sid = SID_SECURITY_MANDATORY_MEDIUM_PLUS },
+       { .code = "HI", .sid = SID_SECURITY_MANDATORY_HIGH },
+       { .code = "SI", .sid = SID_SECURITY_MANDATORY_SYSTEM },
+
+       { .code = "AS", .sid = SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY },
+       { .code = "SS", .sid = SID_SERVICE_ASSERTED_IDENTITY },
 
        { .code = "RO", .sid = NULL, .rid = DOMAIN_RID_ENTERPRISE_READONLY_DCS },
 
@@ -138,6 +163,13 @@ static const struct {
        { .code = "SA", .sid = NULL, .rid = DOMAIN_RID_SCHEMA_ADMINS },
        { .code = "EA", .sid = NULL, .rid = DOMAIN_RID_ENTERPRISE_ADMINS },
        { .code = "PA", .sid = NULL, .rid = DOMAIN_RID_POLICY_ADMINS },
+
+       { .code = "CN", .sid = NULL, .rid = DOMAIN_RID_CLONEABLE_CONTROLLERS },
+
+       { .code = "AP", .sid = NULL, .rid = DOMAIN_RID_PROTECTED_USERS },
+       { .code = "KA", .sid = NULL, .rid = DOMAIN_RID_KEY_ADMINS },
+       { .code = "EK", .sid = NULL, .rid = DOMAIN_RID_ENTERPRISE_KEY_ADMINS },
+
        { .code = "RS", .sid = NULL, .rid = DOMAIN_RID_RAS_SERVERS }
 };
 

diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 0736cf187259d9131d0401ed981d9c33d6a9b200..6b867595a284b4e324a7b037df0a81b0d42bdaf4 100644 (file)
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -278,6 +278,14 @@ interface security
        const string SID_BUILTIN_CRYPTO_OPERATORS       = "S-1-5-32-569";
        const string SID_BUILTIN_EVENT_LOG_READERS      = "S-1-5-32-573";
        const string SID_BUILTIN_CERT_SERV_DCOM_ACCESS  = "S-1-5-32-574";
+       const string SID_BUILTIN_RDS_REMOTE_ACCESS_SERVERS      = "S-1-5-32-575";
+       const string SID_BUILTIN_RDS_ENDPOINT_SERVERS   = "S-1-5-32-576";
+       const string SID_BUILTIN_RDS_MANAGEMENT_SERVERS = "S-1-5-32-577";
+       const string SID_BUILTIN_HYPER_V_ADMINS = "S-1-5-32-578";
+       const string SID_BUILTIN_ACCESS_CONTROL_ASSISTANCE_OPS  = "S-1-5-32-579";
+       const string SID_BUILTIN_REMOTE_MANAGEMENT_USERS        = "S-1-5-32-580";
+
+       const string SID_SECURITY_RESTRICTED_CODE = "S-1-5-33";
 
        /* UID/GID mapping Samba style */
        const string SID_SAMBA_UNIX_USER_OWNER          = "S-1-22-1";
@@ -296,6 +304,16 @@ interface security
        const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496";
        const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497";
 
+       const string SID_USER_MODE_DRIVERS = "S-1-5-84-0-0-0-0-0";
+
+       const string SID_SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE = "S-1-15-2-1";
+
+       const string SID_SECURITY_MANDATORY_LOW = "S-1-16-4096";
+       const string SID_SECURITY_MANDATORY_MEDIUM = "S-1-16-8192";
+       const string SID_SECURITY_MANDATORY_MEDIUM_PLUS = "S-1-16-8448";
+       const string SID_SECURITY_MANDATORY_HIGH = "S-1-16-12288";
+       const string SID_SECURITY_MANDATORY_SYSTEM = "S-1-16-16384";
+
        /*
         * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
         */
@@ -321,6 +339,10 @@ interface security
        const int DOMAIN_RID_ENTERPRISE_ADMINS       = 519;
        const int DOMAIN_RID_POLICY_ADMINS           = 520;
        const int DOMAIN_RID_READONLY_DCS            = 521;
+       const int DOMAIN_RID_CLONEABLE_CONTROLLERS   = 522;
+       const int DOMAIN_RID_PROTECTED_USERS         = 525;
+       const int DOMAIN_RID_KEY_ADMINS              = 526;
+       const int DOMAIN_RID_ENTERPRISE_KEY_ADMINS   = 527;
        const int DOMAIN_RID_RAS_SERVERS             = 553;
        const int DOMAIN_RID_RODC_ALLOW              = 571;
        const int DOMAIN_RID_RODC_DENY               = 572;
@@ -349,6 +371,12 @@ interface security
        const int BUILTIN_RID_CRYPTO_OPERATORS          = 569;
        const int BUILTIN_RID_EVENT_LOG_READERS         = 573;
        const int BUILTIN_RID_CERT_SERV_DCOM_ACCESS     = 574;
+       const int BUILTIN_RID_RDS_REMOTE_ACCESS_SERVERS = 575;
+       const int BUILTIN_RID_RDS_ENDPOINT_SERVERS      = 576;
+       const int BUILTIN_RID_RDS_MANAGEMENT_SERVERS    = 577;
+       const int BUILTIN_RID_HYPER_V_ADMINS    = 578;
+       const int BUILTIN_RID_ACCESS_CONTROL_ASSISTANCE_OPS     = 579;
+       const int BUILTIN_RID_REMOTE_MANAGEMENT_USERS   = 580;
 
 /********************************************************************
  This is a list of privileges reported by a WIndows 2008 R2 DC

diff --git a/selftest/knownfail.d/sid-strings b/selftest/knownfail.d/sid-strings
index 87fa4eb15f76a4456b5d5b773a35e4f49d449f74..a9cefedc8a2b2363250e1f61af7c0224de6c442c 100644 (file)
--- a/selftest/knownfail.d/sid-strings
+++ b/selftest/knownfail.d/sid-strings
@@ -1,30 +1,6 @@
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_AA.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_AC.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_AP.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_AS.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_Aa.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_BR.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_CD.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_CN.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_CY.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_EK.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_ES.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_HA.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_HI.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_IF.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_KA.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_LK.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_LU.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_LW.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_ME.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_MP.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_MS.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_MU.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_OW.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_RA.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_RM.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_SI.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_SS.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_WR.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_aA.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_aa.ad_dc