{SE_PRIV_PRINT_OPERATOR, "SaPrintOp", "Add or remove printers - Samba" },
{SE_PRIV_ALL, "SaAllPrivs", "all privileges" }
};
-/*
-PRIVS privs[] = {
- { 2, "SeCreateTokenPrivilege" },
- { 3, "SeAssignPrimaryTokenPrivilege" },
- { 4, "SeLockMemoryPrivilege" },
- { 5, "SeIncreaseQuotaPrivilege" },
- { 6, "SeMachineAccountPrivilege" },
- { 7, "SeTcbPrivilege" },
- { 8, "SeSecurityPrivilege" },
- { 9, "SeTakeOwnershipPrivilege" },
- { 10, "SeLoadDriverPrivilege" },
- { 11, "SeSystemProfilePrivilege" },
- { 12, "SeSystemtimePrivilege" },
- { 13, "SeProfileSingleProcessPrivilege" },
- { 14, "SeIncreaseBasePriorityPrivilege" },
- { 15, "SeCreatePagefilePrivilege" },
- { 16, "SeCreatePermanentPrivilege" },
- { 17, "SeBackupPrivilege" },
- { 18, "SeRestorePrivilege" },
- { 19, "SeShutdownPrivilege" },
- { 20, "SeDebugPrivilege" },
- { 21, "SeAuditPrivilege" },
- { 22, "SeSystemEnvironmentPrivilege" },
- { 23, "SeChangeNotifyPrivilege" },
- { 24, "SeRemoteShutdownPrivilege" },
- { 25, "SeUndockPrivilege" },
- { 26, "SeSyncAgentPrivilege" },
- { 27, "SeEnableDelegationPrivilege" },
-};
-*/
-
- /*
- * Those are not really privileges like the other ones.
- * They are handled in a special case and called
- * system privileges.
- *
- * SeNetworkLogonRight
- * SeUnsolicitedInputPrivilege
- * SeBatchLogonRight
- * SeServiceLogonRight
- * SeInteractiveLogonRight
- * SeDenyInteractiveLogonRight
- * SeDenyNetworkLogonRight
- * SeDenyBatchLogonRight
- * SeDenyBatchLogonRight
- */
-#if 0
-/****************************************************************************
-check if the user has the required privilege.
-****************************************************************************/
-static BOOL se_priv_access_check(NT_USER_TOKEN *token, uint32 privilege)
-{
- /* no token, no privilege */
- if (token==NULL)
- return False;
-
- if ((token->privilege & privilege)==privilege)
- return True;
-
- return False;
-}
-#endif
/****************************************************************************
dump the mapping group mapping to a text file
fstring str_admins;
fstring str_users;
fstring str_guests;
- LUID_ATTR set;
-
- PRIVILEGE_SET privilege_none;
- PRIVILEGE_SET privilege_all;
- PRIVILEGE_SET privilege_print_op;
-
- init_privilege(&privilege_none);
- init_privilege(&privilege_all);
- init_privilege(&privilege_print_op);
-
- set.attr=0;
- set.luid.high=0;
- set.luid.low=SE_PRIV_PRINT_OPERATOR;
- add_privilege(&privilege_print_op, set);
-
- add_all_privilege(&privilege_all);
/* Add the Wellknown groups */
- add_initial_entry(-1, "S-1-5-32-544", SID_NAME_WKN_GRP, "Administrators", "", privilege_all, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
- add_initial_entry(-1, "S-1-5-32-545", SID_NAME_WKN_GRP, "Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
- add_initial_entry(-1, "S-1-5-32-546", SID_NAME_WKN_GRP, "Guests", "", privilege_none, PR_ACCESS_FROM_NETWORK);
- add_initial_entry(-1, "S-1-5-32-547", SID_NAME_WKN_GRP, "Power Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
-
- add_initial_entry(-1, "S-1-5-32-548", SID_NAME_WKN_GRP, "Account Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
- add_initial_entry(-1, "S-1-5-32-549", SID_NAME_WKN_GRP, "System Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
- add_initial_entry(-1, "S-1-5-32-550", SID_NAME_WKN_GRP, "Print Operators", "", privilege_print_op, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
- add_initial_entry(-1, "S-1-5-32-551", SID_NAME_WKN_GRP, "Backup Operators", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
-
- add_initial_entry(-1, "S-1-5-32-552", SID_NAME_WKN_GRP, "Replicators", "", privilege_none, PR_ACCESS_FROM_NETWORK);
+ add_initial_entry(-1, "S-1-5-32-544", SID_NAME_WKN_GRP, "Administrators", "");
+ add_initial_entry(-1, "S-1-5-32-545", SID_NAME_WKN_GRP, "Users", "");
+ add_initial_entry(-1, "S-1-5-32-546", SID_NAME_WKN_GRP, "Guests", "");
+ add_initial_entry(-1, "S-1-5-32-547", SID_NAME_WKN_GRP, "Power Users", "");
+ add_initial_entry(-1, "S-1-5-32-548", SID_NAME_WKN_GRP, "Account Operators", "");
+ add_initial_entry(-1, "S-1-5-32-549", SID_NAME_WKN_GRP, "System Operators", "");
+ add_initial_entry(-1, "S-1-5-32-550", SID_NAME_WKN_GRP, "Print Operators", "");
+ add_initial_entry(-1, "S-1-5-32-551", SID_NAME_WKN_GRP, "Backup Operators", "");
+ add_initial_entry(-1, "S-1-5-32-552", SID_NAME_WKN_GRP, "Replicators", "");
/* Add the defaults domain groups */
sid_copy(&sid_admins, get_global_sam_sid());
sid_append_rid(&sid_admins, DOMAIN_GROUP_RID_ADMINS);
sid_to_string(str_admins, &sid_admins);
- add_initial_entry(-1, str_admins, SID_NAME_DOM_GRP, "Domain Admins", "", privilege_all, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
+ add_initial_entry(-1, str_admins, SID_NAME_DOM_GRP, "Domain Admins", "");
sid_copy(&sid_users, get_global_sam_sid());
sid_append_rid(&sid_users, DOMAIN_GROUP_RID_USERS);
sid_to_string(str_users, &sid_users);
- add_initial_entry(-1, str_users, SID_NAME_DOM_GRP, "Domain Users", "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
+ add_initial_entry(-1, str_users, SID_NAME_DOM_GRP, "Domain Users", "");
sid_copy(&sid_guests, get_global_sam_sid());
sid_append_rid(&sid_guests, DOMAIN_GROUP_RID_GUESTS);
sid_to_string(str_guests, &sid_guests);
- add_initial_entry(-1, str_guests, SID_NAME_DOM_GRP, "Domain Guests", "", privilege_none, PR_ACCESS_FROM_NETWORK);
-
- free_privilege(&privilege_none);
- free_privilege(&privilege_all);
- free_privilege(&privilege_print_op);
+ add_initial_entry(-1, str_guests, SID_NAME_DOM_GRP, "Domain Guests", "");
return True;
}
pstring key, buf;
fstring string_sid="";
int len;
- int i;
- PRIVILEGE_SET *set;
if(!init_group_mapping()) {
DEBUG(0,("failed to initialize group mapping"));
sid_to_string(string_sid, &map->sid);
- len = tdb_pack(buf, sizeof(buf), "ddffd",
- map->gid, map->sid_name_use, map->nt_name, map->comment, map->systemaccount);
-
- /* write the privilege list in the TDB database */
-
- set=&map->priv_set;
- len += tdb_pack(buf+len, sizeof(buf)-len, "d", set->count);
- for (i=0; i<set->count; i++)
- len += tdb_pack(buf+len, sizeof(buf)-len, "ddd",
- set->set[i].luid.low, set->set[i].luid.high, set->set[i].attr);
+ len = tdb_pack(buf, sizeof(buf), "ddff",
+ map->gid, map->sid_name_use, map->nt_name, map->comment);
if (len > sizeof(buf))
return False;
/****************************************************************************
initialise first time the mapping list
****************************************************************************/
-BOOL add_initial_entry(gid_t gid, const char *sid, enum SID_NAME_USE sid_name_use,
- const char *nt_name, const char *comment, PRIVILEGE_SET priv_set, uint32 systemaccount)
+BOOL add_initial_entry(gid_t gid, const char *sid, enum SID_NAME_USE sid_name_use, const char *nt_name, const char *comment)
{
GROUP_MAP map;
map.sid_name_use=sid_name_use;
fstrcpy(map.nt_name, nt_name);
fstrcpy(map.comment, comment);
- map.systemaccount=systemaccount;
-
- map.priv_set.count=priv_set.count;
- map.priv_set.set=priv_set.set;
pdb_add_group_mapping_entry(&map);
return True;
}
-/****************************************************************************
-initialise a privilege list
-****************************************************************************/
-void init_privilege(PRIVILEGE_SET *priv_set)
-{
- priv_set->count=0;
- priv_set->control=0;
- priv_set->set=NULL;
-}
-
-/****************************************************************************
-free a privilege list
-****************************************************************************/
-BOOL free_privilege(PRIVILEGE_SET *priv_set)
-{
- if (priv_set->count==0) {
- DEBUG(100,("free_privilege: count=0, nothing to clear ?\n"));
- return False;
- }
-
- if (priv_set->set==NULL) {
- DEBUG(0,("free_privilege: list ptr is NULL, very strange !\n"));
- return False;
- }
-
- safe_free(priv_set->set);
- priv_set->count=0;
- priv_set->control=0;
- priv_set->set=NULL;
-
- return True;
-}
-
-/****************************************************************************
-add a privilege to a privilege array
-****************************************************************************/
-BOOL add_privilege(PRIVILEGE_SET *priv_set, LUID_ATTR set)
-{
- LUID_ATTR *new_set;
-
- /* check if the privilege is not already in the list */
- if (check_priv_in_privilege(priv_set, set))
- return False;
-
- /* we can allocate memory to add the new privilege */
-
- new_set=(LUID_ATTR *)Realloc(priv_set->set, (priv_set->count+1)*(sizeof(LUID_ATTR)));
- if (new_set==NULL) {
- DEBUG(0,("add_privilege: could not Realloc memory to add a new privilege\n"));
- return False;
- }
-
- new_set[priv_set->count].luid.high=set.luid.high;
- new_set[priv_set->count].luid.low=set.luid.low;
- new_set[priv_set->count].attr=set.attr;
-
- priv_set->count++;
- priv_set->set=new_set;
-
- return True;
-}
-
-/****************************************************************************
-add all the privileges to a privilege array
-****************************************************************************/
-BOOL add_all_privilege(PRIVILEGE_SET *priv_set)
-{
- LUID_ATTR set;
-
- set.attr=0;
- set.luid.high=0;
-
- set.luid.low=SE_PRIV_ADD_USERS;
- add_privilege(priv_set, set);
-
- set.luid.low=SE_PRIV_ADD_MACHINES;
- add_privilege(priv_set, set);
-
- set.luid.low=SE_PRIV_PRINT_OPERATOR;
- add_privilege(priv_set, set);
-
- return True;
-}
-
-/****************************************************************************
-check if the privilege list is empty
-****************************************************************************/
-BOOL check_empty_privilege(PRIVILEGE_SET *priv_set)
-{
- return (priv_set->count == 0);
-}
-
-/****************************************************************************
-check if the privilege is in the privilege list
-****************************************************************************/
-BOOL check_priv_in_privilege(PRIVILEGE_SET *priv_set, LUID_ATTR set)
-{
- int i;
-
- /* if the list is empty, obviously we can't have it */
- if (check_empty_privilege(priv_set))
- return False;
-
- for (i=0; i<priv_set->count; i++) {
- LUID_ATTR *cur_set;
-
- cur_set=&priv_set->set[i];
- /* check only the low and high part. Checking the attr field has no meaning */
- if( (cur_set->luid.low==set.luid.low) && (cur_set->luid.high==set.luid.high) )
- return True;
- }
-
- return False;
-}
-
-/****************************************************************************
-remove a privilege from a privilege array
-****************************************************************************/
-BOOL remove_privilege(PRIVILEGE_SET *priv_set, LUID_ATTR set)
-{
- LUID_ATTR *new_set;
- LUID_ATTR *old_set;
- int i,j;
-
- /* check if the privilege is in the list */
- if (!check_priv_in_privilege(priv_set, set))
- return False;
-
- /* special case if it's the only privilege in the list */
- if (priv_set->count==1) {
- free_privilege(priv_set);
- init_privilege(priv_set);
-
- return True;
- }
-
- /*
- * the privilege is there, create a new list,
- * and copy the other privileges
- */
-
- old_set=priv_set->set;
-
- new_set=(LUID_ATTR *)malloc((priv_set->count-1)*(sizeof(LUID_ATTR)));
- if (new_set==NULL) {
- DEBUG(0,("remove_privilege: could not malloc memory for new privilege list\n"));
- return False;
- }
-
- for (i=0, j=0; i<priv_set->count; i++) {
- if ((old_set[i].luid.low==set.luid.low) &&
- (old_set[i].luid.high==set.luid.high)) {
- continue;
- }
-
- new_set[j].luid.low=old_set[i].luid.low;
- new_set[j].luid.high=old_set[i].luid.high;
- new_set[j].attr=old_set[i].attr;
-
- j++;
- }
-
- if (j!=priv_set->count-1) {
- DEBUG(0,("remove_privilege: mismatch ! difference is not -1\n"));
- DEBUGADD(0,("old count:%d, new count:%d\n", priv_set->count, j));
- safe_free(new_set);
- return False;
- }
-
- /* ok everything is fine */
-
- priv_set->count--;
- priv_set->set=new_set;
-
- safe_free(old_set);
-
- return True;
-}
-
/****************************************************************************
Return the sid and the type of the unix group.
****************************************************************************/
-static BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv)
+static BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map)
{
TDB_DATA kbuf, dbuf;
pstring key;
fstring string_sid;
int ret;
- int i;
- PRIVILEGE_SET *set;
if(!init_group_mapping()) {
DEBUG(0,("failed to initialize group mapping"));
if (!dbuf.dptr)
return False;
- ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
- &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->systemaccount);
-
- set=&map->priv_set;
- init_privilege(set);
- ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &set->count);
-
- DEBUG(10,("get_group_map_from_sid: %d privileges\n", map->priv_set.count));
-
- set->set = NULL;
- if (set->count) {
- set->set=(LUID_ATTR *)smb_xmalloc(set->count*sizeof(LUID_ATTR));
- }
-
- for (i=0; i<set->count; i++)
- ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "ddd",
- &(set->set[i].luid.low), &(set->set[i].luid.high), &(set->set[i].attr));
+ ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
+ &map->gid, &map->sid_name_use, &map->nt_name, &map->comment);
SAFE_FREE(dbuf.dptr);
- if (ret != dbuf.dsize) {
- DEBUG(0,("get_group_map_from_sid: group mapping TDB corrupted ?\n"));
- free_privilege(set);
- return False;
- }
-
- /* we don't want the privileges */
- if (with_priv==MAPPING_WITHOUT_PRIV)
- free_privilege(set);
sid_copy(&map->sid, &sid);
Return the sid and the type of the unix group.
****************************************************************************/
-static BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map, BOOL with_priv)
+static BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map)
{
TDB_DATA kbuf, dbuf, newkey;
fstring string_sid;
int ret;
- int i;
- PRIVILEGE_SET *set;
if(!init_group_mapping()) {
DEBUG(0,("failed to initialize group mapping"));
string_to_sid(&map->sid, string_sid);
- ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
- &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->systemaccount);
-
- set=&map->priv_set;
- ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &set->count);
- set->set = NULL;
- if (set->count) {
- set->set=(LUID_ATTR *)smb_xmalloc(set->count*sizeof(LUID_ATTR));
- }
-
- for (i=0; i<set->count; i++)
- ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "ddd",
- &(set->set[i].luid.low), &(set->set[i].luid.high), &(set->set[i].attr));
+ ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
+ &map->gid, &map->sid_name_use, &map->nt_name, &map->comment);
SAFE_FREE(dbuf.dptr);
- if (ret != dbuf.dsize){
- free_privilege(set);
- continue;
- }
if (gid==map->gid) {
- if (!with_priv)
- free_privilege(&map->priv_set);
SAFE_FREE(kbuf.dptr);
return True;
}
-
- free_privilege(set);
}
return False;
Return the sid and the type of the unix group.
****************************************************************************/
-static BOOL get_group_map_from_ntname(char *name, GROUP_MAP *map, BOOL with_priv)
+static BOOL get_group_map_from_ntname(const char *name, GROUP_MAP *map)
{
TDB_DATA kbuf, dbuf, newkey;
fstring string_sid;
int ret;
- int i;
- PRIVILEGE_SET *set;
if(!init_group_mapping()) {
DEBUG(0,("get_group_map_from_ntname:failed to initialize group mapping"));
string_to_sid(&map->sid, string_sid);
- ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
- &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->systemaccount);
-
- set=&map->priv_set;
- ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &set->count);
-
- set->set=(LUID_ATTR *)malloc(set->count*sizeof(LUID_ATTR));
- if (set->set==NULL) {
- DEBUG(0,("get_group_map_from_ntname: could not allocate memory for privileges\n"));
- return False;
- }
-
- for (i=0; i<set->count; i++)
- ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "ddd",
- &(set->set[i].luid.low), &(set->set[i].luid.high), &(set->set[i].attr));
+ ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
+ &map->gid, &map->sid_name_use, &map->nt_name, &map->comment);
SAFE_FREE(dbuf.dptr);
- if (ret != dbuf.dsize) {
- free_privilege(set);
- continue;
- }
if (StrCaseCmp(name, map->nt_name)==0) {
- if (!with_priv)
- free_privilege(&map->priv_set);
SAFE_FREE(kbuf.dptr);
return True;
}
-
- free_privilege(set);
}
return False;
****************************************************************************/
static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap,
- int *num_entries, BOOL unix_only, BOOL with_priv)
+ int *num_entries, BOOL unix_only)
{
TDB_DATA kbuf, dbuf, newkey;
fstring string_sid;
GROUP_MAP *mapt;
int ret;
int entries=0;
- int i;
- PRIVILEGE_SET *set;
if(!init_group_mapping()) {
DEBUG(0,("failed to initialize group mapping"));
fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX));
- ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
- &map.gid, &map.sid_name_use, &map.nt_name, &map.comment, &map.systemaccount);
-
- set=&map.priv_set;
- init_privilege(set);
-
- ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &set->count);
-
- if (set->count!=0) {
- set->set=(LUID_ATTR *)malloc(set->count*sizeof(LUID_ATTR));
- if (set->set==NULL) {
- DEBUG(0,("enum_group_mapping: could not allocate memory for privileges\n"));
- return False;
- }
- }
-
- for (i=0; i<set->count; i++)
- ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "ddd",
- &(set->set[i].luid.low), &(set->set[i].luid.high), &(set->set[i].attr));
+ ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
+ &map.gid, &map.sid_name_use, &map.nt_name, &map.comment);
SAFE_FREE(dbuf.dptr);
- if (ret != dbuf.dsize) {
- DEBUG(11,("enum_group_mapping: error in memory size\n"));
- free_privilege(set);
- continue;
- }
/* list only the type or everything if UNKNOWN */
if (sid_name_use!=SID_NAME_UNKNOWN && sid_name_use!=map.sid_name_use) {
DEBUG(11,("enum_group_mapping: group %s is not of the requested type\n", map.nt_name));
- free_privilege(set);
continue;
}
if (unix_only==ENUM_ONLY_MAPPED && map.gid==-1) {
DEBUG(11,("enum_group_mapping: group %s is non mapped\n", map.nt_name));
- free_privilege(set);
continue;
}
if (!mapt) {
DEBUG(0,("enum_group_mapping: Unable to enlarge group map!\n"));
SAFE_FREE(*rmap);
- free_privilege(set);
return False;
}
else
mapt[entries].sid_name_use = map.sid_name_use;
fstrcpy(mapt[entries].nt_name, map.nt_name);
fstrcpy(mapt[entries].comment, map.comment);
- mapt[entries].systemaccount=map.systemaccount;
- mapt[entries].priv_set.count=set->count;
- mapt[entries].priv_set.control=set->control;
- mapt[entries].priv_set.set=set->set;
- if (!with_priv)
- free_privilege(&(mapt[entries].priv_set));
entries++;
return True;
}
-
-/****************************************************************************
-convert a privilege string to a privilege array
-****************************************************************************/
-void convert_priv_from_text(PRIVILEGE_SET *se_priv, char *privilege)
-{
- pstring tok;
- const char *p = privilege;
- int i;
- LUID_ATTR set;
-
- /* By default no privilege */
- init_privilege(se_priv);
-
- if (privilege==NULL)
- return;
-
- while(next_token(&p, tok, " ", sizeof(tok)) ) {
- for (i=0; i<=PRIV_ALL_INDEX; i++) {
- if (StrCaseCmp(privs[i].priv, tok)==0) {
- set.attr=0;
- set.luid.high=0;
- set.luid.low=privs[i].se_priv;
- add_privilege(se_priv, set);
- }
- }
- }
-}
-
-/****************************************************************************
-convert a privilege array to a privilege string
-****************************************************************************/
-void convert_priv_to_text(PRIVILEGE_SET *se_priv, char *privilege)
-{
- int i,j;
-
- if (privilege==NULL)
- return;
-
- ZERO_STRUCTP(privilege);
-
- if (check_empty_privilege(se_priv)) {
- fstrcat(privilege, "No privilege");
- return;
- }
-
- for(i=0; i<se_priv->count; i++) {
- j=1;
- while (privs[j].se_priv!=se_priv->set[i].luid.low && j<=PRIV_ALL_INDEX) {
- j++;
- }
-
- fstrcat(privilege, privs[j].priv);
- fstrcat(privilege, " ");
- }
-}
-
-
/*
*
* High level functions
/* get a domain group from it's SID */
-BOOL get_domain_group_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv)
+BOOL get_domain_group_from_sid(DOM_SID sid, GROUP_MAP *map)
{
struct group *grp;
DEBUG(10, ("get_domain_group_from_sid\n"));
/* if the group is NOT in the database, it CAN NOT be a domain group */
- if(!pdb_getgrsid(map, sid, with_priv))
+ if(!pdb_getgrsid(map, sid))
return False;
DEBUG(10, ("get_domain_group_from_sid: SID found in the TDB\n"));
/* if it's not a domain group, continue */
if (map->sid_name_use!=SID_NAME_DOM_GRP) {
- if (with_priv)
- free_privilege(&map->priv_set);
return False;
}
DEBUG(10, ("get_domain_group_from_sid: SID is a domain group\n"));
if (map->gid==-1) {
- if (with_priv)
- free_privilege(&map->priv_set);
return False;
}
if ( (grp=getgrgid(map->gid)) == NULL) {
DEBUG(10, ("get_domain_group_from_sid: gid DOESN'T exist in UNIX security\n"));
- if (with_priv)
- free_privilege(&map->priv_set);
return False;
}
/* get a local (alias) group from it's SID */
-BOOL get_local_group_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv)
+BOOL get_local_group_from_sid(DOM_SID sid, GROUP_MAP *map)
{
struct group *grp;
}
/* The group is in the mapping table */
- if(pdb_getgrsid(map, sid, with_priv)) {
+ if(pdb_getgrsid(map, sid)) {
if (map->sid_name_use!=SID_NAME_ALIAS) {
- if (with_priv)
- free_privilege(&map->priv_set);
return False;
}
if (map->gid==-1) {
- if (with_priv)
- free_privilege(&map->priv_set);
return False;
}
if ( (grp=getgrgid(map->gid)) == NULL) {
- if (with_priv)
- free_privilege(&map->priv_set);
return False;
}
} else {
return False;
map->sid_name_use=SID_NAME_ALIAS;
- map->systemaccount=PR_ACCESS_FROM_NETWORK;
fstrcpy(map->nt_name, grp->gr_name);
fstrcpy(map->comment, "Local Unix Group");
- init_privilege(&map->priv_set);
-
sid_copy(&map->sid, &sid);
}
/* get a builtin group from it's SID */
-BOOL get_builtin_group_from_sid(DOM_SID sid, GROUP_MAP *map, BOOL with_priv)
+BOOL get_builtin_group_from_sid(DOM_SID sid, GROUP_MAP *map)
{
struct group *grp;
return(False);
}
- if(!pdb_getgrsid(map, sid, with_priv))
+ if(!pdb_getgrsid(map, sid))
return False;
if (map->sid_name_use!=SID_NAME_WKN_GRP) {
- if (with_priv)
- free_privilege(&map->priv_set);
return False;
}
if (map->gid==-1) {
- if (with_priv)
- free_privilege(&map->priv_set);
return False;
}
if ( (grp=getgrgid(map->gid)) == NULL) {
- if (with_priv)
- free_privilege(&map->priv_set);
return False;
}
/****************************************************************************
Returns a GROUP_MAP struct based on the gid.
****************************************************************************/
-BOOL get_group_from_gid(gid_t gid, GROUP_MAP *map, BOOL with_priv)
+BOOL get_group_from_gid(gid_t gid, GROUP_MAP *map)
{
struct group *grp;
/*
* make a group map from scratch if doesn't exist.
*/
- if (!pdb_getgrgid(map, gid, with_priv)) {
+ if (!pdb_getgrgid(map, gid)) {
map->gid=gid;
map->sid_name_use=SID_NAME_ALIAS;
- map->systemaccount=PR_ACCESS_FROM_NETWORK;
- init_privilege(&map->priv_set);
/* interim solution until we have a last RID allocated */
NTSTATUS pdb_default_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
- DOM_SID sid, BOOL with_priv)
+ DOM_SID sid)
{
- return get_group_map_from_sid(sid, map, with_priv) ?
+ return get_group_map_from_sid(sid, map) ?
NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
}
NTSTATUS pdb_default_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
- gid_t gid, BOOL with_priv)
+ gid_t gid)
{
- return get_group_map_from_gid(gid, map, with_priv) ?
+ return get_group_map_from_gid(gid, map) ?
NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
}
NTSTATUS pdb_default_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
- char *name, BOOL with_priv)
+ const char *name)
{
- return get_group_map_from_ntname(name, map, with_priv) ?
+ return get_group_map_from_ntname(name, map) ?
NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
}
NTSTATUS pdb_default_enum_group_mapping(struct pdb_methods *methods,
enum SID_NAME_USE sid_name_use,
GROUP_MAP **rmap, int *num_entries,
- BOOL unix_only, BOOL with_priv)
+ BOOL unix_only)
{
- return enum_group_mapping(sid_name_use, rmap, num_entries, unix_only,
- with_priv) ?
+ return enum_group_mapping(sid_name_use, rmap, num_entries, unix_only) ?
NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
}
*********************************************************************/
NTSTATUS pdb_nop_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
- DOM_SID sid, BOOL with_priv)
+ DOM_SID sid)
{
return NT_STATUS_UNSUCCESSFUL;
}
NTSTATUS pdb_nop_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
- gid_t gid, BOOL with_priv)
+ gid_t gid)
{
return NT_STATUS_UNSUCCESSFUL;
}
NTSTATUS pdb_nop_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
- char *name, BOOL with_priv)
+ const char *name)
{
return NT_STATUS_UNSUCCESSFUL;
}
NTSTATUS pdb_nop_enum_group_mapping(struct pdb_methods *methods,
enum SID_NAME_USE sid_name_use,
GROUP_MAP **rmap, int *num_entries,
- BOOL unix_only, BOOL with_priv)
+ BOOL unix_only)
{
return NT_STATUS_UNSUCCESSFUL;
}
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
-#define PRIV_ALL_INDEX 5
-
-#define SE_PRIV_NONE 0x0000
-#define SE_PRIV_ADD_MACHINES 0x0006
-#define SE_PRIV_SEC_PRIV 0x0008
-#define SE_PRIV_TAKE_OWNER 0x0009
-#define SE_PRIV_ADD_USERS 0xff01
-#define SE_PRIV_PRINT_OPERATOR 0xff03
-#define SE_PRIV_ALL 0xffff
-
#define ENUM_ONLY_MAPPED True
#define ENUM_ALL_MAPPED False
-#define MAPPING_WITH_PRIV True
-#define MAPPING_WITHOUT_PRIV False
-
-#define PR_NONE 0x0000
-#define PR_LOG_ON_LOCALLY 0x0001
-#define PR_ACCESS_FROM_NETWORK 0x0002
-#define PR_LOG_ON_BATCH_JOB 0x0004
-#define PR_LOG_ON_SERVICE 0x0010
-
-
typedef struct _GROUP_MAP {
struct pdb_methods *methods;
gid_t gid;
enum SID_NAME_USE sid_name_use;
fstring nt_name;
fstring comment;
- uint32 systemaccount;
- PRIVILEGE_SET priv_set;
} GROUP_MAP;
-typedef struct _PRIVS {
- uint32 se_priv;
- const char *priv;
- const char *description;
-} PRIVS;
-
NTSTATUS (*pdb_delete_sam_account)(struct pdb_context *, SAM_ACCOUNT *username);
- NTSTATUS (*pdb_getgrsid)(struct pdb_context *context, GROUP_MAP *map,
- DOM_SID sid, BOOL with_priv);
+ NTSTATUS (*pdb_getgrsid)(struct pdb_context *context, GROUP_MAP *map, DOM_SID sid);
- NTSTATUS (*pdb_getgrgid)(struct pdb_context *context, GROUP_MAP *map,
- gid_t gid, BOOL with_priv);
+ NTSTATUS (*pdb_getgrgid)(struct pdb_context *context, GROUP_MAP *map, gid_t gid);
- NTSTATUS (*pdb_getgrnam)(struct pdb_context *context, GROUP_MAP *map,
- char *name, BOOL with_priv);
+ NTSTATUS (*pdb_getgrnam)(struct pdb_context *context, GROUP_MAP *map, const char *name);
NTSTATUS (*pdb_add_group_mapping_entry)(struct pdb_context *context,
GROUP_MAP *map);
NTSTATUS (*pdb_enum_group_mapping)(struct pdb_context *context,
enum SID_NAME_USE sid_name_use,
GROUP_MAP **rmap, int *num_entries,
- BOOL unix_only, BOOL with_priv);
+ BOOL unix_only);
void (*free_fn)(struct pdb_context **);
NTSTATUS (*delete_sam_account)(struct pdb_methods *, SAM_ACCOUNT *username);
- NTSTATUS (*getgrsid)(struct pdb_methods *methods, GROUP_MAP *map,
- DOM_SID sid, BOOL with_priv);
+ NTSTATUS (*getgrsid)(struct pdb_methods *methods, GROUP_MAP *map, DOM_SID sid);
- NTSTATUS (*getgrgid)(struct pdb_methods *methods, GROUP_MAP *map,
- gid_t gid, BOOL with_priv);
+ NTSTATUS (*getgrgid)(struct pdb_methods *methods, GROUP_MAP *map, gid_t gid);
- NTSTATUS (*getgrnam)(struct pdb_methods *methods, GROUP_MAP *map,
- char *name, BOOL with_priv);
+ NTSTATUS (*getgrnam)(struct pdb_methods *methods, GROUP_MAP *map, const char *name);
NTSTATUS (*add_group_mapping_entry)(struct pdb_methods *methods,
GROUP_MAP *map);
NTSTATUS (*enum_group_mapping)(struct pdb_methods *methods,
enum SID_NAME_USE sid_name_use,
GROUP_MAP **rmap, int *num_entries,
- BOOL unix_only, BOOL with_priv);
+ BOOL unix_only);
void *private_data; /* Private data of some kind */
#ifndef PRIVILEGES_H
#define PRIVILEGES_H
+#define PRIV_ALL_INDEX 5
+
+#define SE_PRIV_NONE 0x0000
+#define SE_PRIV_ADD_MACHINES 0x0006
+#define SE_PRIV_SEC_PRIV 0x0008
+#define SE_PRIV_TAKE_OWNER 0x0009
+#define SE_PRIV_ADD_USERS 0xff01
+#define SE_PRIV_PRINT_OPERATOR 0xff03
+#define SE_PRIV_ALL 0xffff
+
+#define PR_NONE 0x0000
+#define PR_LOG_ON_LOCALLY 0x0001
+#define PR_ACCESS_FROM_NETWORK 0x0002
+#define PR_LOG_ON_BATCH_JOB 0x0004
+#define PR_LOG_ON_SERVICE 0x0010
+
typedef struct LUID
{
uint32 low;
LUID_ATTR *set;
} PRIVILEGE_SET;
-#endif /* _RPC_LSA_H */
+typedef struct _PRIVS {
+ uint32 se_priv;
+ const char *priv;
+ const char *description;
+} PRIVS;
+
+
+#endif /* PRIVILEGES_H */
}
/* call the mapping code here */
- if(pdb_getgrgid(&map, pwd->pw_gid, MAPPING_WITHOUT_PRIV)) {
+ if(pdb_getgrgid(&map, pwd->pw_gid)) {
if (!pdb_set_group_sid(account_data, &map.sid, PDB_SET)){
DEBUG(0,("Can't set Group SID!\n"));
return NT_STATUS_INVALID_PARAMETER;
pdb_free_sam(&sam_account);
- if (pdb_getgrsid(&map, *sid, MAPPING_WITHOUT_PRIV)) {
+ if (pdb_getgrsid(&map, *sid)) {
if (map.gid!=(gid_t)-1) {
DEBUG(5,("local_lookup_sid: mapped group %s to gid %u\n", map.nt_name, (unsigned int)map.gid));
} else {
*/
/* check if it's a mapped group */
- if (pdb_getgrnam(&map, user, MAPPING_WITHOUT_PRIV)) {
+ if (pdb_getgrnam(&map, user)) {
/* yes it's a mapped group */
sid_copy(&local_sid, &map.sid);
*psid_name_use = map.sid_name_use;
* JFM, 30/11/2001
*/
- if (pdb_getgrgid(&map, grp->gr_gid, MAPPING_WITHOUT_PRIV)){
+ if (pdb_getgrgid(&map, grp->gr_gid)){
return False;
}
}
static NTSTATUS context_getgrsid(struct pdb_context *context,
- GROUP_MAP *map, DOM_SID sid, BOOL with_priv)
+ GROUP_MAP *map, DOM_SID sid)
{
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
}
curmethods = context->pdb_methods;
while (curmethods){
- ret = curmethods->getgrsid(curmethods, map, sid, with_priv);
+ ret = curmethods->getgrsid(curmethods, map, sid);
if (NT_STATUS_IS_OK(ret)) {
map->methods = curmethods;
return ret;
}
static NTSTATUS context_getgrgid(struct pdb_context *context,
- GROUP_MAP *map, gid_t gid, BOOL with_priv)
+ GROUP_MAP *map, gid_t gid)
{
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
}
curmethods = context->pdb_methods;
while (curmethods){
- ret = curmethods->getgrgid(curmethods, map, gid, with_priv);
+ ret = curmethods->getgrgid(curmethods, map, gid);
if (NT_STATUS_IS_OK(ret)) {
map->methods = curmethods;
return ret;
}
static NTSTATUS context_getgrnam(struct pdb_context *context,
- GROUP_MAP *map, char *name, BOOL with_priv)
+ GROUP_MAP *map, char *name)
{
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
}
curmethods = context->pdb_methods;
while (curmethods){
- ret = curmethods->getgrnam(curmethods, map, name, with_priv);
+ ret = curmethods->getgrnam(curmethods, map, name);
if (NT_STATUS_IS_OK(ret)) {
map->methods = curmethods;
return ret;
static NTSTATUS context_enum_group_mapping(struct pdb_context *context,
enum SID_NAME_USE sid_name_use,
GROUP_MAP **rmap, int *num_entries,
- BOOL unix_only, BOOL with_priv)
+ BOOL unix_only)
{
NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
return context->pdb_methods->enum_group_mapping(context->pdb_methods,
sid_name_use, rmap,
- num_entries, unix_only,
- with_priv);
+ num_entries, unix_only);
}
/******************************************************************
return NT_STATUS_IS_OK(pdb_context->pdb_delete_sam_account(pdb_context, sam_acct));
}
-BOOL pdb_getgrsid(GROUP_MAP *map, DOM_SID sid, BOOL with_priv)
+BOOL pdb_getgrsid(GROUP_MAP *map, DOM_SID sid)
{
struct pdb_context *pdb_context = pdb_get_static_context(False);
}
return NT_STATUS_IS_OK(pdb_context->
- pdb_getgrsid(pdb_context, map, sid, with_priv));
+ pdb_getgrsid(pdb_context, map, sid));
}
-BOOL pdb_getgrgid(GROUP_MAP *map, gid_t gid, BOOL with_priv)
+BOOL pdb_getgrgid(GROUP_MAP *map, gid_t gid)
{
struct pdb_context *pdb_context = pdb_get_static_context(False);
}
return NT_STATUS_IS_OK(pdb_context->
- pdb_getgrgid(pdb_context, map, gid, with_priv));
+ pdb_getgrgid(pdb_context, map, gid));
}
-BOOL pdb_getgrnam(GROUP_MAP *map, char *name, BOOL with_priv)
+BOOL pdb_getgrnam(GROUP_MAP *map, char *name)
{
struct pdb_context *pdb_context = pdb_get_static_context(False);
}
return NT_STATUS_IS_OK(pdb_context->
- pdb_getgrnam(pdb_context, map, name, with_priv));
+ pdb_getgrnam(pdb_context, map, name));
}
BOOL pdb_add_group_mapping_entry(GROUP_MAP *map)
}
BOOL pdb_enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap,
- int *num_entries, BOOL unix_only, BOOL with_priv)
+ int *num_entries, BOOL unix_only)
{
struct pdb_context *pdb_context = pdb_get_static_context(False);
return NT_STATUS_IS_OK(pdb_context->
pdb_enum_group_mapping(pdb_context, sid_name_use,
- rmap, num_entries, unix_only,
- with_priv));
+ rmap, num_entries, unix_only));
}
/***************************************************************
{
GROUP_MAP map;
/* call the mapping code here */
- if(pdb_getgrgid(&map, gid, MAPPING_WITHOUT_PRIV)) {
+ if(pdb_getgrgid(&map, gid)) {
pdb_set_group_sid(sampass, &map.sid, PDB_SET);
}
else {
}
fstrcpy(map->comment, temp);
- map->systemaccount = 0;
- init_privilege(&map->priv_set);
-
return True;
}
*********************************************************************/
static NTSTATUS ldapsam_getgrsid(struct pdb_methods *methods, GROUP_MAP *map,
- DOM_SID sid, BOOL with_priv)
+ DOM_SID sid)
{
pstring filter;
*********************************************************************/
static NTSTATUS ldapsam_getgrgid(struct pdb_methods *methods, GROUP_MAP *map,
- gid_t gid, BOOL with_priv)
+ gid_t gid)
{
pstring filter;
*********************************************************************/
static NTSTATUS ldapsam_getgrnam(struct pdb_methods *methods, GROUP_MAP *map,
- char *name, BOOL with_priv)
+ const char *name)
{
pstring filter;
int rc;
if (NT_STATUS_IS_OK(ldapsam_getgrgid(methods, &dummy,
- map->gid, False))) {
+ map->gid))) {
DEBUG(0, ("Group %i already exists in LDAP\n", map->gid));
return NT_STATUS_UNSUCCESSFUL;
}
static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
enum SID_NAME_USE sid_name_use,
GROUP_MAP **rmap, int *num_entries,
- BOOL unix_only, BOOL with_priv)
+ BOOL unix_only)
{
GROUP_MAP map;
GROUP_MAP *mapt;
/* get the generic lsa policy SD until we store it */
lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
- if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status))
- return status;
+ if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) {
+ if (geteuid() != 0) {
+ return status;
+ }
+ DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
+ acc_granted, des_access));
+ DEBUGADD(4,("but overwritten by euid == 0\n"));
+ acc_granted = des_access;
+ }
+
/* associate the domain SID with the (unique) handle. */
if ((info = (struct lsa_info *)malloc(sizeof(struct lsa_info))) == NULL)
/* get the generic lsa policy SD until we store it */
lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
- if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status))
- return status;
+ if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) {
+ if (geteuid() != 0) {
+ return status;
+ }
+ DEBUG(4,("ACCESS should be DENIED (granted: %#010x; required: %#010x)\n",
+ acc_granted, des_access));
+ DEBUGADD(4,("but overwritten by euid == 0\n"));
+ acc_granted = des_access;
+ }
/* associate the domain SID with the (unique) handle. */
if ((info = (struct lsa_info *)malloc(sizeof(struct lsa_info))) == NULL)
return NT_STATUS_ACCESS_DENIED;
/* get the list of mapped groups (domain, local, builtin) */
- if(!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV))
+ if(!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED))
return NT_STATUS_OK;
if (q_u->enum_context >= num_entries)
{
struct lsa_info *info=NULL;
GROUP_MAP map;
- int i=0;
-
LUID_ATTR *set=NULL;
r_u->status = NT_STATUS_OK;
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
return NT_STATUS_INVALID_HANDLE;
- if (!pdb_getgrsid(&map, info->sid, MAPPING_WITH_PRIV))
+ if (!pdb_getgrsid(&map, info->sid))
return NT_STATUS_NO_SUCH_GROUP;
+#if 0 /* privileges currently not implemented! */
DEBUG(10,("_lsa_enum_privsaccount: %d privileges\n", map.priv_set.count));
if (map.priv_set.count!=0) {
init_lsa_r_enum_privsaccount(r_u, set, map.priv_set.count, 0);
free_privilege(&map.priv_set);
+#endif
+
+ init_lsa_r_enum_privsaccount(r_u, set, 0, 0);
return r_u->status;
}
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
return NT_STATUS_INVALID_HANDLE;
- if (!pdb_getgrsid(&map, info->sid, MAPPING_WITHOUT_PRIV))
+ if (!pdb_getgrsid(&map, info->sid))
return NT_STATUS_NO_SUCH_GROUP;
/*
they can be ORed together
*/
- r_u->access=map.systemaccount;
+ r_u->access = PR_LOG_ON_LOCALLY | PR_ACCESS_FROM_NETWORK;
return r_u->status;
}
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
return NT_STATUS_INVALID_HANDLE;
- if (!pdb_getgrsid(&map, info->sid, MAPPING_WITH_PRIV))
+ if (!pdb_getgrsid(&map, info->sid))
return NT_STATUS_NO_SUCH_GROUP;
- map.systemaccount=q_u->access;
-
if(!pdb_update_group_mapping_entry(&map))
return NT_STATUS_NO_SUCH_GROUP;
- free_privilege(&map.priv_set);
-
return r_u->status;
}
NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u)
{
+#if 0
struct lsa_info *info=NULL;
GROUP_MAP map;
int i=0;
-
LUID_ATTR *luid_attr=NULL;
PRIVILEGE_SET *set=NULL;
+#endif
r_u->status = NT_STATUS_OK;
+#if 0 /* privileges are not implemented */
/* find the connection policy handle. */
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
return NT_STATUS_INVALID_HANDLE;
- if (!pdb_getgrsid(&map, info->sid, MAPPING_WITH_PRIV))
+ if (!pdb_getgrsid(&map, info->sid))
return NT_STATUS_NO_SUCH_GROUP;
set=&q_u->set;
free_privilege(&map.priv_set);
+#endif
return r_u->status;
}
NTSTATUS _lsa_removeprivs(pipes_struct *p, LSA_Q_REMOVEPRIVS *q_u, LSA_R_REMOVEPRIVS *r_u)
{
+#if 0
struct lsa_info *info=NULL;
GROUP_MAP map;
int i=0;
-
LUID_ATTR *luid_attr=NULL;
PRIVILEGE_SET *set=NULL;
+#endif
r_u->status = NT_STATUS_OK;
+#if 0 /* privileges are not implemented */
/* find the connection policy handle. */
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
return NT_STATUS_INVALID_HANDLE;
- if (!pdb_getgrsid(&map, info->sid, MAPPING_WITH_PRIV))
+ if (!pdb_getgrsid(&map, info->sid))
return NT_STATUS_NO_SUCH_GROUP;
if (q_u->allrights!=0) {
return NT_STATUS_NO_SUCH_GROUP;
free_privilege(&map.priv_set);
-
+#endif
return r_u->status;
}
become_root();
- if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV)) {
+ if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED)) {
DEBUG(1, ("load_group_domain_entries: pdb_enum_group_mapping() failed!\n"));
return NT_STATUS_NO_MEMORY;
}
/* well-known aliases */
if (sid_equal(sid, &global_sid_Builtin) && !lp_hide_local_users()) {
- pdb_enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV);
+ pdb_enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ONLY_MAPPED);
if (num_entries != 0) {
*d_grp=(DOMAIN_GRP *)talloc_zero(ctx, num_entries*sizeof(DOMAIN_GRP));
for (; (num_entries < max_entries) && (grp != NULL); grp = grp->next) {
uint32 trid;
- if(!pdb_getgrgid(&smap, grp->gr_gid, MAPPING_WITHOUT_PRIV))
+ if(!pdb_getgrgid(&smap, grp->gr_gid))
continue;
if (smap.sid_name_use!=SID_NAME_ALIAS) {
*p_num_entries = 0;
- pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV);
+ pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED);
num_entries=group_entries-start_idx;
!sid_check_is_in_builtin(&sid))
return NT_STATUS_OBJECT_TYPE_MISMATCH;
- if (!pdb_getgrsid(&map, sid, MAPPING_WITHOUT_PRIV))
+ if (!pdb_getgrsid(&map, sid))
return NT_STATUS_NO_SUCH_ALIAS;
switch (q_u->switch_level) {
if (sid_equal(&alias_sid, &global_sid_Builtin)) {
DEBUG(10, ("lookup on Builtin SID (S-1-5-32)\n"));
- if(!get_builtin_group_from_sid(als_sid, &map, MAPPING_WITHOUT_PRIV))
+ if(!get_builtin_group_from_sid(als_sid, &map))
return NT_STATUS_NO_SUCH_ALIAS;
} else {
if (sid_equal(&alias_sid, get_global_sam_sid())) {
DEBUG(10, ("lookup on Server SID\n"));
- if(!get_local_group_from_sid(als_sid, &map, MAPPING_WITHOUT_PRIV))
+ if(!get_local_group_from_sid(als_sid, &map))
return NT_STATUS_NO_SUCH_ALIAS;
}
}
sid_append_rid(&group_sid, group_rid);
DEBUG(10, ("lookup on Domain SID\n"));
- if(!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV))
+ if(!get_domain_group_from_sid(group_sid, &map))
return NT_STATUS_NO_SUCH_GROUP;
if(!get_uid_list_of_group(map.gid, &uid, &num_uids))
if (sid_compare(&alias_sid, get_global_sam_sid())>0) {
DEBUG(10, ("adding member on Server SID\n"));
- if(!get_local_group_from_sid(alias_sid, &map, MAPPING_WITHOUT_PRIV))
+ if(!get_local_group_from_sid(alias_sid, &map))
return NT_STATUS_NO_SUCH_ALIAS;
} else {
if (sid_compare(&alias_sid, &global_sid_Builtin)>0) {
DEBUG(10, ("adding member on BUILTIN SID\n"));
- if( !get_local_group_from_sid(alias_sid, &map, MAPPING_WITHOUT_PRIV))
+ if( !get_local_group_from_sid(alias_sid, &map))
return NT_STATUS_NO_SUCH_ALIAS;
} else
return NT_STATUS_NO_SUCH_ALIAS;
}
- if( !get_local_group_from_sid(alias_sid, &map, MAPPING_WITHOUT_PRIV))
+ if( !get_local_group_from_sid(alias_sid, &map))
return NT_STATUS_NO_SUCH_ALIAS;
if ((grp=getgrgid(map.gid)) == NULL)
DEBUG(10, ("lookup on Domain SID\n"));
- if(!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV))
+ if(!get_domain_group_from_sid(group_sid, &map))
return NT_STATUS_NO_SUCH_GROUP;
sid_copy(&user_sid, get_global_sam_sid());
sid_copy(&user_sid, get_global_sam_sid());
sid_append_rid(&user_sid, q_u->rid);
- if (!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV))
+ if (!get_domain_group_from_sid(group_sid, &map))
return NT_STATUS_NO_SUCH_GROUP;
if ((grp=getgrgid(map.gid)) == NULL)
DEBUG(10, ("lookup on Domain SID\n"));
- if(!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV))
+ if(!get_domain_group_from_sid(group_sid, &map))
return NT_STATUS_NO_SUCH_GROUP;
gid=map.gid;
DEBUG(10, ("lookup on Local SID\n"));
- if(!get_local_group_from_sid(alias_sid, &map, MAPPING_WITHOUT_PRIV))
+ if(!get_local_group_from_sid(alias_sid, &map))
return NT_STATUS_NO_SUCH_ALIAS;
gid=map.gid;
fstring sid_string;
struct group *grp;
struct samr_info *info;
- PRIVILEGE_SET priv_set;
uint32 acc_granted;
gid_t gid;
- init_privilege(&priv_set);
-
/* Find the policy handle. Open a policy on it. */
if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid, &acc_granted))
return NT_STATUS_INVALID_HANDLE;
sid_append_rid(&info_sid, r_u->rid);
sid_to_string(sid_string, &info_sid);
- if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_DOM_GRP, name, NULL, priv_set, PR_ACCESS_FROM_NETWORK))
+ if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_DOM_GRP, name, NULL))
return NT_STATUS_ACCESS_DENIED;
if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
fstring sid_string;
struct group *grp;
struct samr_info *info;
- PRIVILEGE_SET priv_set;
uint32 acc_granted;
gid_t gid;
- init_privilege(&priv_set);
-
/* Find the policy handle. Open a policy on it. */
if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid, &acc_granted))
return NT_STATUS_INVALID_HANDLE;
sid_to_string(sid_string, &info_sid);
/* add the group to the mapping table */
- if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_ALIAS, name, NULL, priv_set, PR_ACCESS_FROM_NETWORK))
+ if(!add_initial_entry(grp->gr_gid, sid_string, SID_NAME_ALIAS, name, NULL))
return NT_STATUS_ACCESS_DENIED;
if ((info = get_samr_info_by_sid(&info_sid)) == NULL)
return r_u->status;
}
- if (!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV))
+ if (!get_domain_group_from_sid(group_sid, &map))
return NT_STATUS_INVALID_HANDLE;
ctr=(GROUP_INFO_CTR *)talloc_zero(p->mem_ctx, sizeof(GROUP_INFO_CTR));
return r_u->status;
}
- if (!get_domain_group_from_sid(group_sid, &map, MAPPING_WITH_PRIV))
+ if (!get_domain_group_from_sid(group_sid, &map))
return NT_STATUS_NO_SUCH_GROUP;
ctr=q_u->ctr;
unistr2_to_ascii(map.comment, &(ctr->group.info4.uni_acct_desc), sizeof(map.comment)-1);
break;
default:
- free_privilege(&map.priv_set);
return NT_STATUS_INVALID_INFO_CLASS;
}
if(!pdb_update_group_mapping_entry(&map)) {
- free_privilege(&map.priv_set);
return NT_STATUS_NO_SUCH_GROUP;
}
- free_privilege(&map.priv_set);
-
return NT_STATUS_OK;
}
return r_u->status;
}
- if (!get_local_group_from_sid(group_sid, &map, MAPPING_WITH_PRIV))
+ if (!get_local_group_from_sid(group_sid, &map))
return NT_STATUS_NO_SUCH_GROUP;
ctr=&q_u->ctr;
unistr2_to_ascii(map.comment, &(ctr->alias.info3.uni_acct_desc), sizeof(map.comment)-1);
break;
default:
- free_privilege(&map.priv_set);
return NT_STATUS_INVALID_INFO_CLASS;
}
if(!pdb_update_group_mapping_entry(&map)) {
- free_privilege(&map.priv_set);
return NT_STATUS_NO_SUCH_GROUP;
}
- free_privilege(&map.priv_set);
-
return NT_STATUS_OK;
}
DEBUG(10, ("_samr_open_group:Opening SID: %s\n", sid_string));
/* check if that group really exists */
- if (!get_domain_group_from_sid(info->sid, &map, MAPPING_WITHOUT_PRIV))
+ if (!get_domain_group_from_sid(info->sid, &map))
return NT_STATUS_NO_SUCH_GROUP;
/* get a (unique) handle. open a policy on it. */
}
for (i=0;i<num_groups;i++) {
- if(!get_group_from_gid(groups[i], &map, MAPPING_WITHOUT_PRIV)) {
+
+ if (!get_group_from_gid(groups[i], &map)) {
DEBUG(10,("get_alias_user_groups: gid %d. not found\n", (int)groups[i]));
continue;
}
/* if it's not an alias, continue */
- if (map.sid_name_use!=SID_NAME_ALIAS) {
+ if (map.sid_name_use != SID_NAME_ALIAS) {
DEBUG(10,("get_alias_user_groups: not returing %s, not an ALIAS group.\n", map.nt_name));
continue;
}
DEBUG(10,("get_alias_user_groups: looking for gid %d of user %s\n", (int)gid, user_name));
- if(!get_group_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) {
+ if(!get_group_from_gid(gid, &map)) {
DEBUG(0,("get_alias_user_groups: gid of user %s doesn't exist. Check your /etc/passwd and /etc/group files\n", user_name));
goto done;
}
DEBUG(10,("get_domain_user_groups: searching domain groups [%s] is a member of\n", user_name));
/* first get the list of the domain groups */
- if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, &num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV))
+ if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, &num_entries, ENUM_ONLY_MAPPED))
return False;
DEBUG(10,("get_domain_user_groups: there are %d mapped groups\n", num_entries));
}
/* now fill in group mappings */
- if(pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV)) {
+ if(pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED)) {
int i;
for (i = 0; i < num_entries; i++) {
return False;
/* get list of domain groups SID_DOMAIN_GRP=2 */
- if(!pdb_enum_group_mapping(SID_NAME_DOM_GRP , &group_list, &num_entries, False, False)) {
+ if(!pdb_enum_group_mapping(SID_NAME_DOM_GRP , &group_list, &num_entries, False)) {
DEBUG(3,("api_RNetGroupEnum:failed to get group list"));
return False;
}
pdb_free_sam(&pwd);
if (!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries,
- ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV))
+ ENUM_ONLY_MAPPED))
return max_rid;
for (i = 0; i < num_entries; i++) {
if (StrnCaseCmp( input, "S-", 2)) {
/* Perhaps its the NT group name? */
- if (!pdb_getgrnam(&map, input, MAPPING_WITHOUT_PRIV)) {
+ if (!pdb_getgrnam(&map, input)) {
printf("NT Group %s doesn't exist in mapping DB\n", input);
return False;
} else {
{
fstring string_sid;
fstring group_type;
- fstring priv_text;
decode_sid_name_use(group_type, map.sid_name_use);
sid_to_string(string_sid, &map.sid);
- convert_priv_to_text(&(map.priv_set), priv_text);
if (!long_list)
d_printf("%s (%s) -> %s\n", map.nt_name, string_sid, gidtoname(map.gid));
d_printf("\tUnix group: %s\n", gidtoname(map.gid));
d_printf("\tGroup type: %s\n", group_type);
d_printf("\tComment : %s\n", map.comment);
- d_printf("\tPrivilege : %s\n\n", priv_text);
}
}
}
/* Get the current mapping from the database */
- if(!pdb_getgrsid(&map, sid, MAPPING_WITH_PRIV)) {
+ if(!pdb_getgrsid(&map, sid)) {
d_printf("Failure to local group SID in the database\n");
return -1;
}
print_map_entry( map, long_list );
- free_privilege(&(map.priv_set));
}
else {
GROUP_MAP *map=NULL;
/* enumerate all group mappings */
- if ( !pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &entries, ENUM_ALL_MAPPED, MAPPING_WITH_PRIV) )
+ if (!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &entries, ENUM_ALL_MAPPED))
return -1;
for (i=0; i<entries; i++) {
print_map_entry( map[i], long_list );
- free_privilege(&(map[i].priv_set));
}
}
int net_groupmap_add(int argc, const char **argv)
{
- PRIVILEGE_SET se_priv;
DOM_SID sid;
fstring ntgroup = "";
fstring unixgrp = "";
fstrcpy( ntgroup, unixgrp );
- init_privilege(&se_priv);
-#if 0
- if (privilege!=NULL)
- convert_priv_from_text(&se_priv, privilege);
-#endif
-
- if (!add_initial_entry(gid, string_sid, sid_type, ntgroup,
- ntcomment, se_priv, PR_ACCESS_FROM_NETWORK) ) {
+ if (!add_initial_entry(gid, string_sid, sid_type, ntgroup, ntcomment)) {
d_printf("adding entry for group %s failed!\n", ntgroup);
return -1;
}
- free_privilege(&se_priv);
-
d_printf("Successully added group %s to the mapping db\n", ntgroup);
return 0;
}
}
/* Get the current mapping from the database */
- if(!pdb_getgrsid(&map, sid, MAPPING_WITH_PRIV)) {
+ if(!pdb_getgrsid(&map, sid)) {
d_printf("Failure to local group SID in the database\n");
return -1;
}
* Allow changing of group type only between domain and local
* We disallow changing Builtin groups !!! (SID problem)
*/
- if ( sid_type != SID_NAME_UNKNOWN )
- {
- if ( map.sid_name_use == SID_NAME_WKN_GRP ) {
+ if (sid_type != SID_NAME_UNKNOWN) {
+ if (map.sid_name_use == SID_NAME_WKN_GRP) {
d_printf("You can only change between domain and local groups.\n");
return -1;
}
map.gid = gid;
}
-#if 0
- /* Change the privilege if new one */
- if (privilege!=NULL)
- convert_priv_from_text(&map.priv_set, privilege);
-#endif
-
if ( !pdb_update_group_mapping_entry(&map) ) {
d_printf("Could not update group database\n");
- free_privilege(&map.priv_set);
return -1;
}
- free_privilege(&map.priv_set);
-
d_printf("Updated mapping entry for %s\n", ntgroup);
return 0;
sid = *pdb_get_group_sid(sam_account);
- if (!pdb_getgrsid(&map, sid, False)) {
+ if (!pdb_getgrsid(&map, sid)) {
DEBUG(0, ("Primary group of %s has no mapping!\n",
pdb_get_username(sam_account)));
pdb_free_sam(&sam_account);
sid_append_rid(&group_sid, rid);
sid_to_string(sid_string, &group_sid);
- if (pdb_getgrsid(&map, group_sid, False)) {
+ if (pdb_getgrsid(&map, group_sid)) {
grp = getgrgid(map.gid);
insert = False;
}
fstrcpy(map.nt_name, name);
fstrcpy(map.comment, comment);
- map.priv_set.count = 0;
- map.priv_set.set = NULL;
-
if (insert)
pdb_add_group_mapping_entry(&map);
else
sid_copy(&group_sid, get_global_sam_sid());
sid_append_rid(&group_sid, rid);
- if (!get_domain_group_from_sid(group_sid, &map, False)) {
+ if (!get_domain_group_from_sid(group_sid, &map)) {
DEBUG(0, ("Could not find global group %d\n", rid));
return NT_STATUS_NO_SUCH_GROUP;
}
sid_append_rid(&alias_sid, rid);
sid_to_string(sid_string, &alias_sid);
- if (pdb_getgrsid(&map, alias_sid, False)) {
+ if (pdb_getgrsid(&map, alias_sid)) {
grp = getgrgid(map.gid);
insert = False;
}
fstrcpy(map.nt_name, name);
fstrcpy(map.comment, comment);
- map.priv_set.count = 0;
- map.priv_set.set = NULL;
-
if (insert)
pdb_add_group_mapping_entry(&map);
else
if (NT_STATUS_IS_ERR(in->pdb_enum_group_mapping(in, SID_NAME_UNKNOWN,
&maps, &entries,
- False, False))) {
+ False))) {
fprintf(stderr, "Can't get group mappings!\n");
return 1;
}
git.samba.org / tprouty / samba.git / commitdiff