diff options
author | Jean-François Micouleau <jfm@samba.org> | 2001-11-23 15:11:22 +0000 |
---|---|---|
committer | Jean-François Micouleau <jfm@samba.org> | 2001-11-23 15:11:22 +0000 |
commit | f29774e58973f421bfa163c45bfae201a140f28c (patch) | |
tree | 1410ee22b26ef73fcab2968f8872bd9804249666 | |
parent | a58d0f91f9ee7354c01a9c20cfe178d5dc02142d (diff) | |
download | samba-f29774e58973f421bfa163c45bfae201a140f28c.tar.gz samba-f29774e58973f421bfa163c45bfae201a140f28c.tar.xz samba-f29774e58973f421bfa163c45bfae201a140f28c.zip |
Changed how the privileges are stored in the group mapping code. It's now
an array of uint32. That's not perfect but that's better.
Added more privileges too.
Changed the local_lookup_rid/name functions in passdb.c to check if the
group is mapped. Makes the LSA rpc calls return correct groups
Corrected the return code in the LSA server code enum_sids.
Only enumerate well known aliases if they are mapped to real unix groups.
Won't confuse user seeing groups not available.
Added a short/long view to smbgroupedit.
now decoding rpc calls to add/remove privileges to sid.
J.F.
-rw-r--r-- | source/groupdb/mapping.c | 215 | ||||
-rw-r--r-- | source/include/mapping.h | 26 | ||||
-rw-r--r-- | source/libsmb/cli_lsarpc.c | 2 | ||||
-rw-r--r-- | source/passdb/passdb.c | 39 | ||||
-rw-r--r-- | source/rpc_parse/parse_lsa.c | 9 | ||||
-rw-r--r-- | source/rpc_server/srv_lsa_nt.c | 12 | ||||
-rw-r--r-- | source/rpc_server/srv_samr_nt.c | 2 | ||||
-rw-r--r-- | source/utils/smbgroupedit.c | 56 |
8 files changed, 266 insertions, 95 deletions
diff --git a/source/groupdb/mapping.c b/source/groupdb/mapping.c index 5173132af89..678824d8129 100644 --- a/source/groupdb/mapping.c +++ b/source/groupdb/mapping.c @@ -30,11 +30,13 @@ static TDB_CONTEXT *tdb; /* used for driver files */ #define GROUP_PREFIX "UNIXGROUP/" PRIVS privs[] = { - {SE_PRIV_NONE, "no_privs", "No privilege"}, - {SE_PRIV_ADD_USERS, "add_users", "add users"}, - {SE_PRIV_ADD_MACHINES, "add_computers", "add computers to domain"}, - {SE_PRIV_PRINT_OPERATOR, "print_op", "printer operator"}, - {SE_PRIV_ALL, "all_privs", "all privileges"} + {SE_PRIV_NONE, "no_privs", "No privilege" }, /* this one MUST be first */ + {SE_PRIV_ADD_MACHINES, "SeMachineAccountPrivilege", "Add workstations to the domain" }, + {SE_PRIV_SEC_PRIV, "SeSecurityPrivilege", "Manage the audit logs" }, + {SE_PRIV_TAKE_OWNER, "SeTakeOwnershipPrivilege", "Take ownership of file" }, + {SE_PRIV_ADD_USERS, "SaAddUsers", "Add users to the domain - Samba" }, + {SE_PRIV_PRINT_OPERATOR, "SaPrintOp", "Add or remove printers - Samba" }, + {SE_PRIV_ALL, "SaAllPrivs", "all privileges" } }; /* PRIVS privs[] = { @@ -61,6 +63,9 @@ PRIVS privs[] = { { 22, "SeSystemEnvironmentPrivilege" }, { 23, "SeChangeNotifyPrivilege" }, { 24, "SeRemoteShutdownPrivilege" }, + { 25, "SeUndockPrivilege" }, + { 26, "SeSyncAgentPrivilege" }, + { 27, "SeEnableDelegationPrivilege" }, }; */ @@ -157,11 +162,15 @@ BOOL add_mapping_entry(GROUP_MAP *map, int flag) pstring key, buf; fstring string_sid=""; int len; + int i; sid_to_string(string_sid, &map->sid); - len = tdb_pack(buf, sizeof(buf), "ddffd", - map->gid, map->sid_name_use, map->nt_name, map->comment, map->privilege); + len = tdb_pack(buf, sizeof(buf), "ddff", + map->gid, map->sid_name_use, map->nt_name, map->comment); + + for (i=0; i<PRIV_ALL_INDEX; i++) + len += tdb_pack(buf+len, sizeof(buf)-len, "d", map->privileges[i]); if (len > sizeof(buf)) return False; @@ -180,16 +189,18 @@ BOOL add_mapping_entry(GROUP_MAP *map, int flag) initialise first time the mapping list ****************************************************************************/ BOOL add_initial_entry(gid_t gid, fstring sid, enum SID_NAME_USE sid_name_use, - fstring nt_name, fstring comment, uint32 privilege) + fstring nt_name, fstring comment, uint32 *privilege) { GROUP_MAP map; + int i; map.gid=gid; string_to_sid(&map.sid, sid); map.sid_name_use=sid_name_use; fstrcpy(map.nt_name, nt_name); fstrcpy(map.comment, comment); - map.privilege=privilege; + for (i=0; i<PRIV_ALL_INDEX; i++) + map.privileges[i]=privilege[i]; add_mapping_entry(&map, TDB_INSERT); @@ -197,6 +208,79 @@ BOOL add_initial_entry(gid_t gid, fstring sid, enum SID_NAME_USE sid_name_use, } /**************************************************************************** +initialise a privilege list +****************************************************************************/ +void init_privilege(uint32 *privilege) +{ + int i; + + for (i=0; i<PRIV_ALL_INDEX; i++) + privilege[i]=0; +} + +/**************************************************************************** +add a privilege to a privilege array +****************************************************************************/ +BOOL add_privilege(uint32 *privilege, uint32 priv) +{ + int i; + + while (i<PRIV_ALL_INDEX && privilege[i]!=0 && privilege[i]!=priv) + i++; + + if (i==PRIV_ALL_INDEX) { + DEBUG(10,("add_privilege: the privilege array is full, can't add new priv\n")); + return False; + } + + if (privilege[i]==priv) { + DEBUG(10,("add_privilege: privilege already in array\n")); + return False; + } + + if (privilege[i]==0) + privilege[i]=priv; + + return True; +} + +/**************************************************************************** +add all the privileges to a privilege array +****************************************************************************/ +BOOL add_all_privilege(uint32 *privilege) +{ + add_privilege(privilege, SE_PRIV_ADD_USERS); + add_privilege(privilege, SE_PRIV_ADD_MACHINES); + add_privilege(privilege, SE_PRIV_PRINT_OPERATOR); +} + +/**************************************************************************** +check if the privilege list is empty +****************************************************************************/ +BOOL check_empty_privilege(uint32 *privilege) +{ + int i; + + for (i=0; i<PRIV_ALL_INDEX; i++) + if(privilege[i]!=0) + return False; + return True; +} + +/**************************************************************************** +check if the privilege is in the privilege list +****************************************************************************/ +BOOL check_priv_in_privilege(uint32 *privilege, uint32 priv) +{ + int i; + + for (i=0; i<PRIV_ALL_INDEX; i++) + if(privilege[i]==priv) + return True; + return False; +} + +/**************************************************************************** initialise first time the mapping list ****************************************************************************/ BOOL default_group_mapping(void) @@ -207,38 +291,50 @@ BOOL default_group_mapping(void) fstring str_admins; fstring str_users; fstring str_guests; + int i; + + uint32 privilege_none[PRIV_ALL_INDEX]; + uint32 privilege_all[PRIV_ALL_INDEX]; + uint32 privilege_print_op[PRIV_ALL_INDEX]; + + init_privilege(privilege_none); + init_privilege(privilege_all); + init_privilege(privilege_print_op); + add_privilege(privilege_print_op, SE_PRIV_PRINT_OPERATOR); + + add_all_privilege(privilege_all); /* Add the Wellknown groups */ - add_initial_entry(-1, "S-1-5-32-544", SID_NAME_WKN_GRP, "Administrators", "", SE_PRIV_ALL); - add_initial_entry(-1, "S-1-5-32-545", SID_NAME_WKN_GRP, "Users", "", SE_PRIV_NONE); - add_initial_entry(-1, "S-1-5-32-546", SID_NAME_WKN_GRP, "Guests", "", SE_PRIV_NONE); - add_initial_entry(-1, "S-1-5-32-547", SID_NAME_WKN_GRP, "Power Users", "", SE_PRIV_NONE); + add_initial_entry(-1, "S-1-5-32-544", SID_NAME_WKN_GRP, "Administrators", "", privilege_all); + add_initial_entry(-1, "S-1-5-32-545", SID_NAME_WKN_GRP, "Users", "", privilege_none); + add_initial_entry(-1, "S-1-5-32-546", SID_NAME_WKN_GRP, "Guests", "", privilege_none); + add_initial_entry(-1, "S-1-5-32-547", SID_NAME_WKN_GRP, "Power Users", "", privilege_none); - add_initial_entry(-1, "S-1-5-32-548", SID_NAME_WKN_GRP, "Account Operators", "", SE_PRIV_NONE); - add_initial_entry(-1, "S-1-5-32-549", SID_NAME_WKN_GRP, "System Operators", "", SE_PRIV_NONE); - add_initial_entry(-1, "S-1-5-32-550", SID_NAME_WKN_GRP, "Print Operators", "", SE_PRIV_PRINT_OPERATOR); - add_initial_entry(-1, "S-1-5-32-551", SID_NAME_WKN_GRP, "Backup Operators", "", SE_PRIV_NONE); + add_initial_entry(-1, "S-1-5-32-548", SID_NAME_WKN_GRP, "Account Operators", "", privilege_none); + add_initial_entry(-1, "S-1-5-32-549", SID_NAME_WKN_GRP, "System Operators", "", privilege_none); + add_initial_entry(-1, "S-1-5-32-550", SID_NAME_WKN_GRP, "Print Operators", "", privilege_print_op); + add_initial_entry(-1, "S-1-5-32-551", SID_NAME_WKN_GRP, "Backup Operators", "", privilege_none); - add_initial_entry(-1, "S-1-5-32-552", SID_NAME_WKN_GRP, "Replicators", "", SE_PRIV_NONE); + add_initial_entry(-1, "S-1-5-32-552", SID_NAME_WKN_GRP, "Replicators", "", privilege_none); /* Add the defaults domain groups */ sid_copy(&sid_admins, &global_sam_sid); sid_append_rid(&sid_admins, DOMAIN_GROUP_RID_ADMINS); sid_to_string(str_admins, &sid_admins); - add_initial_entry(-1, str_admins, SID_NAME_DOM_GRP, "Domain Admins", "", SE_PRIV_ALL); + add_initial_entry(-1, str_admins, SID_NAME_DOM_GRP, "Domain Admins", "", privilege_all); sid_copy(&sid_users, &global_sam_sid); sid_append_rid(&sid_users, DOMAIN_GROUP_RID_USERS); sid_to_string(str_users, &sid_users); - add_initial_entry(-1, str_users, SID_NAME_DOM_GRP, "Domain Users", "", SE_PRIV_NONE); + add_initial_entry(-1, str_users, SID_NAME_DOM_GRP, "Domain Users", "", privilege_none); sid_copy(&sid_guests, &global_sam_sid); sid_append_rid(&sid_guests, DOMAIN_GROUP_RID_GUESTS); sid_to_string(str_guests, &sid_guests); - add_initial_entry(-1, str_guests, SID_NAME_DOM_GRP, "Domain Guests", "", SE_PRIV_NONE); + add_initial_entry(-1, str_guests, SID_NAME_DOM_GRP, "Domain Guests", "", privilege_none); return True; } @@ -253,6 +349,7 @@ BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map) pstring key; fstring string_sid; int ret; + int i; /* the key is the SID, retrieving is direct */ @@ -265,12 +362,15 @@ BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map) dbuf = tdb_fetch(tdb, kbuf); if (!dbuf.dptr) return False; - ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd", - &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->privilege); + ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff", + &map->gid, &map->sid_name_use, &map->nt_name, &map->comment); + + for (i=0; i<PRIV_ALL_INDEX; i++) + ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &map->privileges[i]); SAFE_FREE(dbuf.dptr); if (ret != dbuf.dsize) { - DEBUG(0,("get_group_map_from_sid: mapping TDB corrupted ?\n")); + DEBUG(0,("get_group_map_from_sid: group mapping TDB corrupted ?\n")); return False; } @@ -288,6 +388,7 @@ BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map) TDB_DATA kbuf, dbuf, newkey; fstring string_sid; int ret; + int i; /* we need to enumerate the TDB to find the GID */ @@ -304,8 +405,11 @@ BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map) string_to_sid(&map->sid, string_sid); - ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd", - &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->privilege); + ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff", + &map->gid, &map->sid_name_use, &map->nt_name, &map->comment); + + for (i=0; i<PRIV_ALL_INDEX; i++) + ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &map->privileges[i]); SAFE_FREE(dbuf.dptr); if (ret != dbuf.dsize) continue; @@ -325,8 +429,9 @@ BOOL get_group_map_from_ntname(char *name, GROUP_MAP *map) TDB_DATA kbuf, dbuf, newkey; fstring string_sid; int ret; + int i; - /* we need to enumerate the TDB to find the GID */ + /* we need to enumerate the TDB to find the SID */ for (kbuf = tdb_firstkey(tdb); kbuf.dptr; @@ -341,8 +446,11 @@ BOOL get_group_map_from_ntname(char *name, GROUP_MAP *map) string_to_sid(&map->sid, string_sid); - ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd", - &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->privilege); + ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff", + &map->gid, &map->sid_name_use, &map->nt_name, &map->comment); + + for (i=0; i<PRIV_ALL_INDEX; i++) + ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &map->privileges[i]); SAFE_FREE(dbuf.dptr); if (ret != dbuf.dsize) continue; @@ -397,6 +505,7 @@ BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, GROUP_MAP *mapt; int ret; int entries=0; + int i; *num_entries=0; *rmap=NULL; @@ -414,8 +523,11 @@ BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX)); - ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd", - &map.gid, &map.sid_name_use, &map.nt_name, &map.comment, &map.privilege); + ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff", + &map.gid, &map.sid_name_use, &map.nt_name, &map.comment); + + for (i=0; i<PRIV_ALL_INDEX; i++) + ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &map.privileges[i]); SAFE_FREE(dbuf.dptr); if (ret != dbuf.dsize) @@ -445,7 +557,8 @@ BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, mapt[entries].sid_name_use = map.sid_name_use; fstrcpy(mapt[entries].nt_name, map.nt_name); fstrcpy(mapt[entries].comment, map.comment); - mapt[entries].privilege = map.privilege; + for (i=0; i<PRIV_ALL_INDEX; i++) + mapt[entries].privileges[i] = map.privileges[i]; entries++; } @@ -456,7 +569,7 @@ BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap, /**************************************************************************** -convert a privilege list to a privilege value +convert a privilege string to a privilege array ****************************************************************************/ void convert_priv_from_text(uint32 *se_priv, char *privilege) { @@ -465,46 +578,44 @@ void convert_priv_from_text(uint32 *se_priv, char *privilege) int i; /* By default no privilege */ - (*se_priv)=0x0; - + init_privilege(se_priv); + if (privilege==NULL) return; while(next_token(&p, tok, " ", sizeof(tok)) ) { for (i=0; i<=PRIV_ALL_INDEX; i++) { if (StrCaseCmp(privs[i].priv, tok)==0) - (*se_priv)+=privs[i].se_priv; + add_privilege(se_priv, privs[i].se_priv); } } } /**************************************************************************** -convert a privilege value to a privilege list +convert a privilege array to a privilege string ****************************************************************************/ -void convert_priv_to_text(uint32 se_priv, char *privilege) +void convert_priv_to_text(uint32 *se_priv, char *privilege) { - int i; + int i=0,j; if (privilege==NULL) return; ZERO_STRUCTP(privilege); - if (se_priv==SE_PRIV_NONE) { - fstrcat(privilege, privs[0].priv); + if (check_empty_privilege(se_priv)) { + fstrcat(privilege, "No privilege"); return; } - if (se_priv==SE_PRIV_ALL) { - fstrcat(privilege, privs[PRIV_ALL_INDEX].priv); - return; - } + while(i<PRIV_ALL_INDEX && se_priv[i]!=0) { + j=1; + while (privs[j].se_priv!=se_priv[i]) + j++; - for (i=1; privs[i].se_priv!=SE_PRIV_ALL; i++) { - if ( (se_priv & privs[i].se_priv) == privs[i].se_priv) { - fstrcat(privilege, privs[i].priv); - fstrcat(privilege, " "); - } + fstrcat(privilege, privs[j].priv); + fstrcat(privilege, " "); + i++; } } @@ -585,7 +696,7 @@ BOOL get_local_group_from_sid(DOM_SID sid, GROUP_MAP *map) fstrcpy(map->nt_name, grp->gr_name); fstrcpy(map->comment, "Local Unix Group"); - map->privilege=SE_PRIV_NONE; + init_privilege(map->privileges); sid_copy(&map->sid, &sid); } @@ -632,7 +743,7 @@ BOOL get_group_from_gid(gid_t gid, GROUP_MAP *map) if (!get_group_map_from_gid(gid, map)) { map->gid=gid; map->sid_name_use=SID_NAME_ALIAS; - map->privilege=SE_PRIV_NONE; + init_privilege(map->privileges); sid_copy(&map->sid, &global_sam_sid); sid_append_rid(&map->sid, pdb_gid_to_group_rid(gid)); diff --git a/source/include/mapping.h b/source/include/mapping.h index f016e148ba8..9a64eefa563 100644 --- a/source/include/mapping.h +++ b/source/include/mapping.h @@ -20,13 +20,26 @@ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ +#define PRIV_ALL_INDEX 5 + +#define SE_PRIV_NONE 0x0000 +#define SE_PRIV_ADD_MACHINES 0x0006 +#define SE_PRIV_SEC_PRIV 0x0008 +#define SE_PRIV_TAKE_OWNER 0x0009 +#define SE_PRIV_ADD_USERS 0xff01 +#define SE_PRIV_PRINT_OPERATOR 0xff03 +#define SE_PRIV_ALL 0xffff + +#define ENUM_ONLY_MAPPED True +#define ENUM_ALL_MAPPED False + typedef struct _GROUP_MAP { gid_t gid; DOM_SID sid; enum SID_NAME_USE sid_name_use; fstring nt_name; fstring comment; - uint32 privilege; + uint32 privileges[PRIV_ALL_INDEX]; } GROUP_MAP; typedef struct _PRIVS { @@ -35,14 +48,3 @@ typedef struct _PRIVS { char *description; } PRIVS; -#define SE_PRIV_NONE 0x0000 -#define SE_PRIV_ADD_USERS 0x0001 -#define SE_PRIV_ADD_MACHINES 0x0002 -#define SE_PRIV_PRINT_OPERATOR 0x0004 -#define SE_PRIV_ALL 0xffff - -#define PRIV_ALL_INDEX 3 - - -#define ENUM_ONLY_MAPPED True -#define ENUM_ALL_MAPPED False diff --git a/source/libsmb/cli_lsarpc.c b/source/libsmb/cli_lsarpc.c index 97f604fcb5e..e944734292e 100644 --- a/source/libsmb/cli_lsarpc.c +++ b/source/libsmb/cli_lsarpc.c @@ -787,6 +787,8 @@ NTSTATUS cli_lsa_enum_sids(struct cli_state *cli, TALLOC_CTX *mem_ctx, goto done; } + if (r.sids.num_entries==0) + goto done; /* Return output parameters */ diff --git a/source/passdb/passdb.c b/source/passdb/passdb.c index 823feadea76..dc8e5471e15 100644 --- a/source/passdb/passdb.c +++ b/source/passdb/passdb.c @@ -75,7 +75,6 @@ static BOOL pdb_fill_default_sam(SAM_ACCOUNT *user) user->logoff_time = user->kickoff_time = user->pass_must_change_time = get_time_t_max(); - user->unknown_3 = 0x00ffffff; /* don't know */ user->logon_divs = 168; /* hours per week */ user->hours_len = 21; /* 21 times 8 bits = 168 */ @@ -536,6 +535,11 @@ BOOL local_lookup_rid(uint32 rid, char *name, enum SID_NAME_USE *psid_name_use) } else { gid_t gid; struct group *gr; + GROUP_MAP map; + DOM_SID local_sid; + + sid_copy(&local_sid, &global_sam_sid); + sid_append_rid(&local_sid, rid); /* * Don't try to convert the rid to a name if running @@ -544,6 +548,16 @@ BOOL local_lookup_rid(uint32 rid, char *name, enum SID_NAME_USE *psid_name_use) if (lp_hide_local_users()) return False; + + /* check if it's a mapped group */ + if (get_group_map_from_sid(local_sid, &map)) { + if (map.gid!=-1) { + DEBUG(5,("local_local_rid: mapped group %s to gid %u\n", map.nt_name, (unsigned int)map.gid)); + fstrcpy(name, map.nt_name); + *psid_name_use = map.sid_name_use; + return True; + } + } gid = pdb_user_rid_to_gid(rid); gr = getgrgid(gid); @@ -617,13 +631,24 @@ BOOL local_lookup_name(const char *c_domain, const char *c_user, DOM_SID *psid, /* * Maybe it was a group ? */ - struct group *grp = getgrnam(user); - - if(!grp) - return False; + struct group *grp; + GROUP_MAP map; + + /* check if it's a mapped group */ + if (get_group_map_from_ntname(user, &map)) { + if (map.gid!=-1) { + /* yes it's a mapped group to a valid unix group */ + sid_copy(&local_sid, &map.sid); + *psid_name_use = map.sid_name_use; + } + } else { + grp = getgrnam(user); + if(!grp) + return False; - sid_append_rid( &local_sid, pdb_gid_to_group_rid(grp->gr_gid)); - *psid_name_use = SID_NAME_ALIAS; + sid_append_rid( &local_sid, pdb_gid_to_group_rid(grp->gr_gid)); + *psid_name_use = SID_NAME_ALIAS; + } } sid_copy( psid, &local_sid); diff --git a/source/rpc_parse/parse_lsa.c b/source/rpc_parse/parse_lsa.c index 6d5332794f1..10a9efbe49d 100644 --- a/source/rpc_parse/parse_lsa.c +++ b/source/rpc_parse/parse_lsa.c @@ -854,6 +854,15 @@ static BOOL lsa_io_sid_enum(char *desc, LSA_SID_ENUM *sen, prs_struct *ps, return False; if(!prs_uint32("ptr_sid_enum", ps, depth, &sen->ptr_sid_enum)) return False; + + /* + if the ptr is NULL, leave here. checked from a real w2k trace. + JFM, 11/23/2001 + */ + + if (sen->ptr_sid_enum==0) + return True; + if(!prs_uint32("num_entries2", ps, depth, &sen->num_entries2)) return False; diff --git a/source/rpc_server/srv_lsa_nt.c b/source/rpc_server/srv_lsa_nt.c index f221582d862..03d48aa5e79 100644 --- a/source/rpc_server/srv_lsa_nt.c +++ b/source/rpc_server/srv_lsa_nt.c @@ -543,7 +543,7 @@ NTSTATUS _lsa_enum_privs(pipes_struct *p, LSA_Q_ENUM_PRIVS *q_u, LSA_R_ENUM_PRIV return NT_STATUS_INVALID_HANDLE; if (enum_context >= PRIV_ALL_INDEX) - return NT_STATUS_UNABLE_TO_FREE_VM; + return NT_STATUS_NO_MORE_ENTRIES; entries = (LSA_PRIV_ENTRY *)talloc_zero(p->mem_ctx, sizeof(LSA_PRIV_ENTRY) * (PRIV_ALL_INDEX)); if (entries==NULL) @@ -625,6 +625,9 @@ NTSTATUS _lsa_enum_accounts(pipes_struct *p, LSA_Q_ENUM_ACCOUNTS *q_u, LSA_R_ENU if(!enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED)) return NT_STATUS_OK; + if (q_u->enum_context >= num_entries) + return NT_STATUS_NO_MORE_ENTRIES; + sids->ptr_sid = (uint32 *)talloc_zero(p->mem_ctx, (num_entries-q_u->enum_context)*sizeof(uint32)); sids->sid = (DOM_SID2 *)talloc_zero(p->mem_ctx, (num_entries-q_u->enum_context)*sizeof(DOM_SID2)); @@ -707,7 +710,7 @@ NTSTATUS _lsa_open_account(pipes_struct *p, LSA_Q_OPENACCOUNT *q_u, LSA_R_OPENAC } /*************************************************************************** - + For a given SID, enumerate all the privilege this account has. ***************************************************************************/ NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, LSA_Q_ENUMPRIVSACCOUNT *q_u, LSA_R_ENUMPRIVSACCOUNT *r_u) @@ -729,7 +732,7 @@ NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, LSA_Q_ENUMPRIVSACCOUNT *q_u, LS return NT_STATUS_NO_SUCH_GROUP; for (i=1; privs[i].se_priv!=SE_PRIV_ALL; i++) { - if ( (map.privilege & privs[i].se_priv) == privs[i].se_priv) { + if ( check_priv_in_privilege(map.privileges, privs[i].se_priv)) { set=(LUID_ATTR *)talloc_realloc(p->mem_ctx, set, (count+1)*sizeof(LUID_ATTR)); if (set == NULL) return NT_STATUS_NO_MEMORY; @@ -738,8 +741,7 @@ NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, LSA_Q_ENUMPRIVSACCOUNT *q_u, LS set[count].luid.high=1; set[count].attr=0; - count++; - + count++; } } diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c index c872c9f99fb..f1f3040ba45 100644 --- a/source/rpc_server/srv_samr_nt.c +++ b/source/rpc_server/srv_samr_nt.c @@ -810,7 +810,7 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM /* well-known aliases */ if (sid_equal(sid, &global_sid_Builtin) && !lp_hide_local_users()) { - enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ALL_MAPPED); + enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ONLY_MAPPED); if (num_entries != 0) { *d_grp=(DOMAIN_GRP *)talloc_zero(ctx, num_entries*sizeof(DOMAIN_GRP)); diff --git a/source/utils/smbgroupedit.c b/source/utils/smbgroupedit.c index 8d99e8e600d..b6138fa5760 100644 --- a/source/utils/smbgroupedit.c +++ b/source/utils/smbgroupedit.c @@ -38,7 +38,7 @@ extern int optind; static void usage(void) { if (getuid() == 0) { - printf("groupedit options\n"); + printf("smbgroupedit options\n"); } else { printf("You need to be root to use this tool!\n"); } @@ -47,6 +47,8 @@ static void usage(void) printf(" -n group NT group name\n"); printf(" -p privilege only local\n"); printf(" -v list groups\n"); + printf(" -l long list (include details)\n"); + printf(" -s short list (default)\n"); printf(" -c SID change group\n"); printf(" -u unix group\n"); printf(" -x group delete this group\n"); @@ -60,16 +62,12 @@ static void usage(void) **********************************************************/ int addgroup(char *group, enum SID_NAME_USE sid_type, char *ntgroup, char *ntcomment, char *privilege) { - uint32 se_priv; + uint32 se_priv[PRIV_ALL_INDEX]; gid_t gid; DOM_SID sid; fstring string_sid; fstring name, comment; -/* convert_priv_from_text(&se_priv, privilege);*/ - - se_priv=0x0; - gid=nametogid(group); if (gid==-1) return -1; @@ -87,6 +85,10 @@ int addgroup(char *group, enum SID_NAME_USE sid_type, char *ntgroup, char *ntcom else fstrcpy(comment, ntcomment); + init_privilege(se_priv); + if (privilege!=NULL) + convert_priv_from_text(se_priv, privilege); + if(!add_initial_entry(gid, string_sid, sid_type, name, comment, se_priv)) return -1; @@ -101,7 +103,7 @@ int changegroup(char *sid_string, char *group, enum SID_NAME_USE sid_type, char DOM_SID sid; GROUP_MAP map; gid_t gid; - uint32 se_priv; + uint32 se_priv[PRIV_ALL_INDEX]; string_to_sid(&sid, sid_string); @@ -139,8 +141,10 @@ int changegroup(char *sid_string, char *group, enum SID_NAME_USE sid_type, char /* Change the privilege if new one */ if (privilege!=NULL) { - convert_priv_from_text(&se_priv, privilege); - map.privilege=se_priv; + int i; + convert_priv_from_text(se_priv, privilege); + for(i=0; i<PRIV_ALL_INDEX; i++) + map.privileges[i]=se_priv[i]; } if (!add_mapping_entry(&map, TDB_REPLACE)) { @@ -169,7 +173,7 @@ BOOL deletegroup(char *group) /********************************************************* List the groups. **********************************************************/ -int listgroup(enum SID_NAME_USE sid_type) +int listgroup(enum SID_NAME_USE sid_type, BOOL long_list) { int entries,i; GROUP_MAP *map=NULL; @@ -177,7 +181,8 @@ int listgroup(enum SID_NAME_USE sid_type) fstring group_type; fstring priv_text; - printf("Unix\tSID\ttype\tnt name\tnt comment\tprivilege\n"); + if (!long_list) + printf("NT group (SID) -> Unix group\n"); if (!enum_group_mapping(sid_type, &map, &entries, ENUM_ALL_MAPPED)) return -1; @@ -185,10 +190,18 @@ int listgroup(enum SID_NAME_USE sid_type) for (i=0; i<entries; i++) { decode_sid_name_use(group_type, (map[i]).sid_name_use); sid_to_string(string_sid, &map[i].sid); - convert_priv_to_text(map[i].privilege, priv_text); - - printf("%s\t%s\t%s\n\t%s\t%s\t%s\n\n", gidtoname(map[i].gid), map[i].nt_name, string_sid, - group_type, map[i].comment, priv_text); + convert_priv_to_text(map[i].privileges, priv_text); + + if (!long_list) + printf("%s (%s) -> %s\n", map[i].nt_name, string_sid, gidtoname(map[i].gid)); + else { + printf("%s\n", map[i].nt_name); + printf("\tSID : %s\n", string_sid); + printf("\tUnix group: %s\n", gidtoname(map[i].gid)); + printf("\tGroup type: %s\n", group_type); + printf("\tComment : %s\n", map[i].comment); + printf("\tPrivilege : %s\n\n", priv_text); + } } return 0; @@ -207,7 +220,8 @@ int main (int argc, char **argv) BOOL nt_group = False; BOOL priv = False; BOOL group_type = False; - + BOOL long_list = False; + char *group = NULL; char *sid = NULL; char *ntgroup = NULL; @@ -235,7 +249,7 @@ int main (int argc, char **argv) exit(1); } - while ((ch = getopt(argc, argv, "a:c:d:n:p:t:u:vx:")) != EOF) { + while ((ch = getopt(argc, argv, "a:c:d:ln:p:st:u:vx:")) != EOF) { switch(ch) { case 'a': add_group = True; @@ -248,6 +262,9 @@ int main (int argc, char **argv) case 'd': group_desc=optarg; break; + case 'l': + long_list = True; + break; case 'n': nt_group = True; ntgroup=optarg; @@ -256,6 +273,9 @@ int main (int argc, char **argv) priv = True; privilege=optarg; break; + case 's': + long_list = False; + break; case 't': group_type = True; groupt=optarg; @@ -325,7 +345,7 @@ int main (int argc, char **argv) return addgroup(group, sid_type, ntgroup, group_desc, privilege); if (view_group) - return listgroup(sid_type); + return listgroup(sid_type, long_list); if (delete_group) return deletegroup(group); |