vfs_gpfs: Remove gpfs:prealloc from manpage
[gd/samba-autobuild/.git] / libgpo / gpo_sec.c
index 1bcfa1cbf1a3e8cb7473b01232624a6905aeba2d..82887bc7e1909fed2a2dacb06945f2759bf1f823 100644 (file)
  */
 
 #include "includes.h"
-#include "libcli/security/dom_sid.h"
-#if _SAMBA_BUILD_ == 4
-#include "libgpo/ads_convenience.h"
-#include "librpc/gen_ndr/security.h"
-#include "librpc/gen_ndr/ndr_misc.h"
+#include "libcli/security/security.h"
 #include "../libgpo/gpo.h"
-#endif
+#include "auth.h"
+#include "../librpc/ndr/libndr.h"
 
 /****************************************************************
 ****************************************************************/
@@ -50,11 +47,15 @@ static bool gpo_sd_check_agp_object_guid(const struct security_ace_object *objec
                                       &ext_right_apg_guid)) {
                                return true;
                        }
+
+                       FALL_THROUGH;
                case SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT:
                        if (GUID_equal(&object->inherited_type.inherited_type,
                                       &ext_right_apg_guid)) {
                                return true;
                        }
+
+                       FALL_THROUGH;
                default:
                        break;
        }
@@ -79,11 +80,7 @@ static bool gpo_sd_check_agp_object(const struct security_ace *ace)
 
 static bool gpo_sd_check_agp_access_bits(uint32_t access_mask)
 {
-#if _SAMBA_BUILD_ == 4
        return (access_mask & SEC_ADS_CONTROL_ACCESS);
-#else
-       return (access_mask & SEC_RIGHTS_EXTENDED);
-#endif
 }
 
 #if 0
@@ -104,18 +101,15 @@ static bool gpo_sd_check_read_access_bits(uint32_t access_mask)
 ****************************************************************/
 
 static NTSTATUS gpo_sd_check_ace_denied_object(const struct security_ace *ace,
-                                              const NT_USER_TOKEN *token)
+                                              const struct security_token *token)
 {
-       char *sid_str;
-
        if (gpo_sd_check_agp_object(ace) &&
            gpo_sd_check_agp_access_bits(ace->access_mask) &&
-           nt_token_check_sid(&ace->trustee, token)) {
-               sid_str = dom_sid_string(NULL, &ace->trustee);
+           security_token_has_sid(token, &ace->trustee)) {
+               struct dom_sid_buf sid_str;
                DEBUG(10,("gpo_sd_check_ace_denied_object: "
                        "Access denied as of ace for %s\n",
-                       sid_str));
-               talloc_free(sid_str);
+                       dom_sid_str_buf(&ace->trustee, &sid_str)));
                return NT_STATUS_ACCESS_DENIED;
        }
 
@@ -126,19 +120,15 @@ static NTSTATUS gpo_sd_check_ace_denied_object(const struct security_ace *ace,
 ****************************************************************/
 
 static NTSTATUS gpo_sd_check_ace_allowed_object(const struct security_ace *ace,
-                                               const NT_USER_TOKEN *token)
+                                               const struct security_token *token)
 {
-       char *sid_str;
-
        if (gpo_sd_check_agp_object(ace) &&
            gpo_sd_check_agp_access_bits(ace->access_mask) &&
-           nt_token_check_sid(&ace->trustee, token)) {
-               sid_str = dom_sid_string(NULL, &ace->trustee);
+           security_token_has_sid(token, &ace->trustee)) {
+               struct dom_sid_buf sid_str;
                DEBUG(10,("gpo_sd_check_ace_allowed_object: "
                        "Access granted as of ace for %s\n",
-                       sid_str));
-               talloc_free(sid_str);
-
+                       dom_sid_str_buf(&ace->trustee, &sid_str)));
                return NT_STATUS_OK;
        }
 
@@ -149,7 +139,7 @@ static NTSTATUS gpo_sd_check_ace_allowed_object(const struct security_ace *ace,
 ****************************************************************/
 
 static NTSTATUS gpo_sd_check_ace(const struct security_ace *ace,
-                                const NT_USER_TOKEN *token)
+                                const struct security_token *token)
 {
        switch (ace->type) {
                case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
@@ -165,7 +155,7 @@ static NTSTATUS gpo_sd_check_ace(const struct security_ace *ace,
 ****************************************************************/
 
 NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo,
-                                     const NT_USER_TOKEN *token)
+                                     const struct security_token *token)
 {
        struct security_descriptor *sd = gpo->security_descriptor;
        struct security_acl *dacl = NULL;