summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJean-François Micouleau <jfm@samba.org>2001-11-23 15:11:22 +0000
committerJean-François Micouleau <jfm@samba.org>2001-11-23 15:11:22 +0000
commitf29774e58973f421bfa163c45bfae201a140f28c (patch)
tree1410ee22b26ef73fcab2968f8872bd9804249666
parenta58d0f91f9ee7354c01a9c20cfe178d5dc02142d (diff)
downloadsamba-f29774e58973f421bfa163c45bfae201a140f28c.tar.gz
samba-f29774e58973f421bfa163c45bfae201a140f28c.tar.xz
samba-f29774e58973f421bfa163c45bfae201a140f28c.zip
Changed how the privileges are stored in the group mapping code. It's now
an array of uint32. That's not perfect but that's better. Added more privileges too. Changed the local_lookup_rid/name functions in passdb.c to check if the group is mapped. Makes the LSA rpc calls return correct groups Corrected the return code in the LSA server code enum_sids. Only enumerate well known aliases if they are mapped to real unix groups. Won't confuse user seeing groups not available. Added a short/long view to smbgroupedit. now decoding rpc calls to add/remove privileges to sid. J.F.
-rw-r--r--source/groupdb/mapping.c215
-rw-r--r--source/include/mapping.h26
-rw-r--r--source/libsmb/cli_lsarpc.c2
-rw-r--r--source/passdb/passdb.c39
-rw-r--r--source/rpc_parse/parse_lsa.c9
-rw-r--r--source/rpc_server/srv_lsa_nt.c12
-rw-r--r--source/rpc_server/srv_samr_nt.c2
-rw-r--r--source/utils/smbgroupedit.c56
8 files changed, 266 insertions, 95 deletions
diff --git a/source/groupdb/mapping.c b/source/groupdb/mapping.c
index 5173132af89..678824d8129 100644
--- a/source/groupdb/mapping.c
+++ b/source/groupdb/mapping.c
@@ -30,11 +30,13 @@ static TDB_CONTEXT *tdb; /* used for driver files */
#define GROUP_PREFIX "UNIXGROUP/"
PRIVS privs[] = {
- {SE_PRIV_NONE, "no_privs", "No privilege"},
- {SE_PRIV_ADD_USERS, "add_users", "add users"},
- {SE_PRIV_ADD_MACHINES, "add_computers", "add computers to domain"},
- {SE_PRIV_PRINT_OPERATOR, "print_op", "printer operator"},
- {SE_PRIV_ALL, "all_privs", "all privileges"}
+ {SE_PRIV_NONE, "no_privs", "No privilege" }, /* this one MUST be first */
+ {SE_PRIV_ADD_MACHINES, "SeMachineAccountPrivilege", "Add workstations to the domain" },
+ {SE_PRIV_SEC_PRIV, "SeSecurityPrivilege", "Manage the audit logs" },
+ {SE_PRIV_TAKE_OWNER, "SeTakeOwnershipPrivilege", "Take ownership of file" },
+ {SE_PRIV_ADD_USERS, "SaAddUsers", "Add users to the domain - Samba" },
+ {SE_PRIV_PRINT_OPERATOR, "SaPrintOp", "Add or remove printers - Samba" },
+ {SE_PRIV_ALL, "SaAllPrivs", "all privileges" }
};
/*
PRIVS privs[] = {
@@ -61,6 +63,9 @@ PRIVS privs[] = {
{ 22, "SeSystemEnvironmentPrivilege" },
{ 23, "SeChangeNotifyPrivilege" },
{ 24, "SeRemoteShutdownPrivilege" },
+ { 25, "SeUndockPrivilege" },
+ { 26, "SeSyncAgentPrivilege" },
+ { 27, "SeEnableDelegationPrivilege" },
};
*/
@@ -157,11 +162,15 @@ BOOL add_mapping_entry(GROUP_MAP *map, int flag)
pstring key, buf;
fstring string_sid="";
int len;
+ int i;
sid_to_string(string_sid, &map->sid);
- len = tdb_pack(buf, sizeof(buf), "ddffd",
- map->gid, map->sid_name_use, map->nt_name, map->comment, map->privilege);
+ len = tdb_pack(buf, sizeof(buf), "ddff",
+ map->gid, map->sid_name_use, map->nt_name, map->comment);
+
+ for (i=0; i<PRIV_ALL_INDEX; i++)
+ len += tdb_pack(buf+len, sizeof(buf)-len, "d", map->privileges[i]);
if (len > sizeof(buf)) return False;
@@ -180,16 +189,18 @@ BOOL add_mapping_entry(GROUP_MAP *map, int flag)
initialise first time the mapping list
****************************************************************************/
BOOL add_initial_entry(gid_t gid, fstring sid, enum SID_NAME_USE sid_name_use,
- fstring nt_name, fstring comment, uint32 privilege)
+ fstring nt_name, fstring comment, uint32 *privilege)
{
GROUP_MAP map;
+ int i;
map.gid=gid;
string_to_sid(&map.sid, sid);
map.sid_name_use=sid_name_use;
fstrcpy(map.nt_name, nt_name);
fstrcpy(map.comment, comment);
- map.privilege=privilege;
+ for (i=0; i<PRIV_ALL_INDEX; i++)
+ map.privileges[i]=privilege[i];
add_mapping_entry(&map, TDB_INSERT);
@@ -197,6 +208,79 @@ BOOL add_initial_entry(gid_t gid, fstring sid, enum SID_NAME_USE sid_name_use,
}
/****************************************************************************
+initialise a privilege list
+****************************************************************************/
+void init_privilege(uint32 *privilege)
+{
+ int i;
+
+ for (i=0; i<PRIV_ALL_INDEX; i++)
+ privilege[i]=0;
+}
+
+/****************************************************************************
+add a privilege to a privilege array
+****************************************************************************/
+BOOL add_privilege(uint32 *privilege, uint32 priv)
+{
+ int i;
+
+ while (i<PRIV_ALL_INDEX && privilege[i]!=0 && privilege[i]!=priv)
+ i++;
+
+ if (i==PRIV_ALL_INDEX) {
+ DEBUG(10,("add_privilege: the privilege array is full, can't add new priv\n"));
+ return False;
+ }
+
+ if (privilege[i]==priv) {
+ DEBUG(10,("add_privilege: privilege already in array\n"));
+ return False;
+ }
+
+ if (privilege[i]==0)
+ privilege[i]=priv;
+
+ return True;
+}
+
+/****************************************************************************
+add all the privileges to a privilege array
+****************************************************************************/
+BOOL add_all_privilege(uint32 *privilege)
+{
+ add_privilege(privilege, SE_PRIV_ADD_USERS);
+ add_privilege(privilege, SE_PRIV_ADD_MACHINES);
+ add_privilege(privilege, SE_PRIV_PRINT_OPERATOR);
+}
+
+/****************************************************************************
+check if the privilege list is empty
+****************************************************************************/
+BOOL check_empty_privilege(uint32 *privilege)
+{
+ int i;
+
+ for (i=0; i<PRIV_ALL_INDEX; i++)
+ if(privilege[i]!=0)
+ return False;
+ return True;
+}
+
+/****************************************************************************
+check if the privilege is in the privilege list
+****************************************************************************/
+BOOL check_priv_in_privilege(uint32 *privilege, uint32 priv)
+{
+ int i;
+
+ for (i=0; i<PRIV_ALL_INDEX; i++)
+ if(privilege[i]==priv)
+ return True;
+ return False;
+}
+
+/****************************************************************************
initialise first time the mapping list
****************************************************************************/
BOOL default_group_mapping(void)
@@ -207,38 +291,50 @@ BOOL default_group_mapping(void)
fstring str_admins;
fstring str_users;
fstring str_guests;
+ int i;
+
+ uint32 privilege_none[PRIV_ALL_INDEX];
+ uint32 privilege_all[PRIV_ALL_INDEX];
+ uint32 privilege_print_op[PRIV_ALL_INDEX];
+
+ init_privilege(privilege_none);
+ init_privilege(privilege_all);
+ init_privilege(privilege_print_op);
+ add_privilege(privilege_print_op, SE_PRIV_PRINT_OPERATOR);
+
+ add_all_privilege(privilege_all);
/* Add the Wellknown groups */
- add_initial_entry(-1, "S-1-5-32-544", SID_NAME_WKN_GRP, "Administrators", "", SE_PRIV_ALL);
- add_initial_entry(-1, "S-1-5-32-545", SID_NAME_WKN_GRP, "Users", "", SE_PRIV_NONE);
- add_initial_entry(-1, "S-1-5-32-546", SID_NAME_WKN_GRP, "Guests", "", SE_PRIV_NONE);
- add_initial_entry(-1, "S-1-5-32-547", SID_NAME_WKN_GRP, "Power Users", "", SE_PRIV_NONE);
+ add_initial_entry(-1, "S-1-5-32-544", SID_NAME_WKN_GRP, "Administrators", "", privilege_all);
+ add_initial_entry(-1, "S-1-5-32-545", SID_NAME_WKN_GRP, "Users", "", privilege_none);
+ add_initial_entry(-1, "S-1-5-32-546", SID_NAME_WKN_GRP, "Guests", "", privilege_none);
+ add_initial_entry(-1, "S-1-5-32-547", SID_NAME_WKN_GRP, "Power Users", "", privilege_none);
- add_initial_entry(-1, "S-1-5-32-548", SID_NAME_WKN_GRP, "Account Operators", "", SE_PRIV_NONE);
- add_initial_entry(-1, "S-1-5-32-549", SID_NAME_WKN_GRP, "System Operators", "", SE_PRIV_NONE);
- add_initial_entry(-1, "S-1-5-32-550", SID_NAME_WKN_GRP, "Print Operators", "", SE_PRIV_PRINT_OPERATOR);
- add_initial_entry(-1, "S-1-5-32-551", SID_NAME_WKN_GRP, "Backup Operators", "", SE_PRIV_NONE);
+ add_initial_entry(-1, "S-1-5-32-548", SID_NAME_WKN_GRP, "Account Operators", "", privilege_none);
+ add_initial_entry(-1, "S-1-5-32-549", SID_NAME_WKN_GRP, "System Operators", "", privilege_none);
+ add_initial_entry(-1, "S-1-5-32-550", SID_NAME_WKN_GRP, "Print Operators", "", privilege_print_op);
+ add_initial_entry(-1, "S-1-5-32-551", SID_NAME_WKN_GRP, "Backup Operators", "", privilege_none);
- add_initial_entry(-1, "S-1-5-32-552", SID_NAME_WKN_GRP, "Replicators", "", SE_PRIV_NONE);
+ add_initial_entry(-1, "S-1-5-32-552", SID_NAME_WKN_GRP, "Replicators", "", privilege_none);
/* Add the defaults domain groups */
sid_copy(&sid_admins, &global_sam_sid);
sid_append_rid(&sid_admins, DOMAIN_GROUP_RID_ADMINS);
sid_to_string(str_admins, &sid_admins);
- add_initial_entry(-1, str_admins, SID_NAME_DOM_GRP, "Domain Admins", "", SE_PRIV_ALL);
+ add_initial_entry(-1, str_admins, SID_NAME_DOM_GRP, "Domain Admins", "", privilege_all);
sid_copy(&sid_users, &global_sam_sid);
sid_append_rid(&sid_users, DOMAIN_GROUP_RID_USERS);
sid_to_string(str_users, &sid_users);
- add_initial_entry(-1, str_users, SID_NAME_DOM_GRP, "Domain Users", "", SE_PRIV_NONE);
+ add_initial_entry(-1, str_users, SID_NAME_DOM_GRP, "Domain Users", "", privilege_none);
sid_copy(&sid_guests, &global_sam_sid);
sid_append_rid(&sid_guests, DOMAIN_GROUP_RID_GUESTS);
sid_to_string(str_guests, &sid_guests);
- add_initial_entry(-1, str_guests, SID_NAME_DOM_GRP, "Domain Guests", "", SE_PRIV_NONE);
+ add_initial_entry(-1, str_guests, SID_NAME_DOM_GRP, "Domain Guests", "", privilege_none);
return True;
}
@@ -253,6 +349,7 @@ BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map)
pstring key;
fstring string_sid;
int ret;
+ int i;
/* the key is the SID, retrieving is direct */
@@ -265,12 +362,15 @@ BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map)
dbuf = tdb_fetch(tdb, kbuf);
if (!dbuf.dptr) return False;
- ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
- &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->privilege);
+ ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
+ &map->gid, &map->sid_name_use, &map->nt_name, &map->comment);
+
+ for (i=0; i<PRIV_ALL_INDEX; i++)
+ ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &map->privileges[i]);
SAFE_FREE(dbuf.dptr);
if (ret != dbuf.dsize) {
- DEBUG(0,("get_group_map_from_sid: mapping TDB corrupted ?\n"));
+ DEBUG(0,("get_group_map_from_sid: group mapping TDB corrupted ?\n"));
return False;
}
@@ -288,6 +388,7 @@ BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map)
TDB_DATA kbuf, dbuf, newkey;
fstring string_sid;
int ret;
+ int i;
/* we need to enumerate the TDB to find the GID */
@@ -304,8 +405,11 @@ BOOL get_group_map_from_gid(gid_t gid, GROUP_MAP *map)
string_to_sid(&map->sid, string_sid);
- ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
- &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->privilege);
+ ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
+ &map->gid, &map->sid_name_use, &map->nt_name, &map->comment);
+
+ for (i=0; i<PRIV_ALL_INDEX; i++)
+ ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &map->privileges[i]);
SAFE_FREE(dbuf.dptr);
if (ret != dbuf.dsize) continue;
@@ -325,8 +429,9 @@ BOOL get_group_map_from_ntname(char *name, GROUP_MAP *map)
TDB_DATA kbuf, dbuf, newkey;
fstring string_sid;
int ret;
+ int i;
- /* we need to enumerate the TDB to find the GID */
+ /* we need to enumerate the TDB to find the SID */
for (kbuf = tdb_firstkey(tdb);
kbuf.dptr;
@@ -341,8 +446,11 @@ BOOL get_group_map_from_ntname(char *name, GROUP_MAP *map)
string_to_sid(&map->sid, string_sid);
- ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
- &map->gid, &map->sid_name_use, &map->nt_name, &map->comment, &map->privilege);
+ ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
+ &map->gid, &map->sid_name_use, &map->nt_name, &map->comment);
+
+ for (i=0; i<PRIV_ALL_INDEX; i++)
+ ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &map->privileges[i]);
SAFE_FREE(dbuf.dptr);
if (ret != dbuf.dsize) continue;
@@ -397,6 +505,7 @@ BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap,
GROUP_MAP *mapt;
int ret;
int entries=0;
+ int i;
*num_entries=0;
*rmap=NULL;
@@ -414,8 +523,11 @@ BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap,
fstrcpy(string_sid, kbuf.dptr+strlen(GROUP_PREFIX));
- ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddffd",
- &map.gid, &map.sid_name_use, &map.nt_name, &map.comment, &map.privilege);
+ ret = tdb_unpack(dbuf.dptr, dbuf.dsize, "ddff",
+ &map.gid, &map.sid_name_use, &map.nt_name, &map.comment);
+
+ for (i=0; i<PRIV_ALL_INDEX; i++)
+ ret += tdb_unpack(dbuf.dptr+ret, dbuf.dsize-ret, "d", &map.privileges[i]);
SAFE_FREE(dbuf.dptr);
if (ret != dbuf.dsize)
@@ -445,7 +557,8 @@ BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap,
mapt[entries].sid_name_use = map.sid_name_use;
fstrcpy(mapt[entries].nt_name, map.nt_name);
fstrcpy(mapt[entries].comment, map.comment);
- mapt[entries].privilege = map.privilege;
+ for (i=0; i<PRIV_ALL_INDEX; i++)
+ mapt[entries].privileges[i] = map.privileges[i];
entries++;
}
@@ -456,7 +569,7 @@ BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **rmap,
/****************************************************************************
-convert a privilege list to a privilege value
+convert a privilege string to a privilege array
****************************************************************************/
void convert_priv_from_text(uint32 *se_priv, char *privilege)
{
@@ -465,46 +578,44 @@ void convert_priv_from_text(uint32 *se_priv, char *privilege)
int i;
/* By default no privilege */
- (*se_priv)=0x0;
-
+ init_privilege(se_priv);
+
if (privilege==NULL)
return;
while(next_token(&p, tok, " ", sizeof(tok)) ) {
for (i=0; i<=PRIV_ALL_INDEX; i++) {
if (StrCaseCmp(privs[i].priv, tok)==0)
- (*se_priv)+=privs[i].se_priv;
+ add_privilege(se_priv, privs[i].se_priv);
}
}
}
/****************************************************************************
-convert a privilege value to a privilege list
+convert a privilege array to a privilege string
****************************************************************************/
-void convert_priv_to_text(uint32 se_priv, char *privilege)
+void convert_priv_to_text(uint32 *se_priv, char *privilege)
{
- int i;
+ int i=0,j;
if (privilege==NULL)
return;
ZERO_STRUCTP(privilege);
- if (se_priv==SE_PRIV_NONE) {
- fstrcat(privilege, privs[0].priv);
+ if (check_empty_privilege(se_priv)) {
+ fstrcat(privilege, "No privilege");
return;
}
- if (se_priv==SE_PRIV_ALL) {
- fstrcat(privilege, privs[PRIV_ALL_INDEX].priv);
- return;
- }
+ while(i<PRIV_ALL_INDEX && se_priv[i]!=0) {
+ j=1;
+ while (privs[j].se_priv!=se_priv[i])
+ j++;
- for (i=1; privs[i].se_priv!=SE_PRIV_ALL; i++) {
- if ( (se_priv & privs[i].se_priv) == privs[i].se_priv) {
- fstrcat(privilege, privs[i].priv);
- fstrcat(privilege, " ");
- }
+ fstrcat(privilege, privs[j].priv);
+ fstrcat(privilege, " ");
+ i++;
}
}
@@ -585,7 +696,7 @@ BOOL get_local_group_from_sid(DOM_SID sid, GROUP_MAP *map)
fstrcpy(map->nt_name, grp->gr_name);
fstrcpy(map->comment, "Local Unix Group");
- map->privilege=SE_PRIV_NONE;
+ init_privilege(map->privileges);
sid_copy(&map->sid, &sid);
}
@@ -632,7 +743,7 @@ BOOL get_group_from_gid(gid_t gid, GROUP_MAP *map)
if (!get_group_map_from_gid(gid, map)) {
map->gid=gid;
map->sid_name_use=SID_NAME_ALIAS;
- map->privilege=SE_PRIV_NONE;
+ init_privilege(map->privileges);
sid_copy(&map->sid, &global_sam_sid);
sid_append_rid(&map->sid, pdb_gid_to_group_rid(gid));
diff --git a/source/include/mapping.h b/source/include/mapping.h
index f016e148ba8..9a64eefa563 100644
--- a/source/include/mapping.h
+++ b/source/include/mapping.h
@@ -20,13 +20,26 @@
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
+#define PRIV_ALL_INDEX 5
+
+#define SE_PRIV_NONE 0x0000
+#define SE_PRIV_ADD_MACHINES 0x0006
+#define SE_PRIV_SEC_PRIV 0x0008
+#define SE_PRIV_TAKE_OWNER 0x0009
+#define SE_PRIV_ADD_USERS 0xff01
+#define SE_PRIV_PRINT_OPERATOR 0xff03
+#define SE_PRIV_ALL 0xffff
+
+#define ENUM_ONLY_MAPPED True
+#define ENUM_ALL_MAPPED False
+
typedef struct _GROUP_MAP {
gid_t gid;
DOM_SID sid;
enum SID_NAME_USE sid_name_use;
fstring nt_name;
fstring comment;
- uint32 privilege;
+ uint32 privileges[PRIV_ALL_INDEX];
} GROUP_MAP;
typedef struct _PRIVS {
@@ -35,14 +48,3 @@ typedef struct _PRIVS {
char *description;
} PRIVS;
-#define SE_PRIV_NONE 0x0000
-#define SE_PRIV_ADD_USERS 0x0001
-#define SE_PRIV_ADD_MACHINES 0x0002
-#define SE_PRIV_PRINT_OPERATOR 0x0004
-#define SE_PRIV_ALL 0xffff
-
-#define PRIV_ALL_INDEX 3
-
-
-#define ENUM_ONLY_MAPPED True
-#define ENUM_ALL_MAPPED False
diff --git a/source/libsmb/cli_lsarpc.c b/source/libsmb/cli_lsarpc.c
index 97f604fcb5e..e944734292e 100644
--- a/source/libsmb/cli_lsarpc.c
+++ b/source/libsmb/cli_lsarpc.c
@@ -787,6 +787,8 @@ NTSTATUS cli_lsa_enum_sids(struct cli_state *cli, TALLOC_CTX *mem_ctx,
goto done;
}
+ if (r.sids.num_entries==0)
+ goto done;
/* Return output parameters */
diff --git a/source/passdb/passdb.c b/source/passdb/passdb.c
index 823feadea76..dc8e5471e15 100644
--- a/source/passdb/passdb.c
+++ b/source/passdb/passdb.c
@@ -75,7 +75,6 @@ static BOOL pdb_fill_default_sam(SAM_ACCOUNT *user)
user->logoff_time =
user->kickoff_time =
user->pass_must_change_time = get_time_t_max();
-
user->unknown_3 = 0x00ffffff; /* don't know */
user->logon_divs = 168; /* hours per week */
user->hours_len = 21; /* 21 times 8 bits = 168 */
@@ -536,6 +535,11 @@ BOOL local_lookup_rid(uint32 rid, char *name, enum SID_NAME_USE *psid_name_use)
} else {
gid_t gid;
struct group *gr;
+ GROUP_MAP map;
+ DOM_SID local_sid;
+
+ sid_copy(&local_sid, &global_sam_sid);
+ sid_append_rid(&local_sid, rid);
/*
* Don't try to convert the rid to a name if running
@@ -544,6 +548,16 @@ BOOL local_lookup_rid(uint32 rid, char *name, enum SID_NAME_USE *psid_name_use)
if (lp_hide_local_users())
return False;
+
+ /* check if it's a mapped group */
+ if (get_group_map_from_sid(local_sid, &map)) {
+ if (map.gid!=-1) {
+ DEBUG(5,("local_local_rid: mapped group %s to gid %u\n", map.nt_name, (unsigned int)map.gid));
+ fstrcpy(name, map.nt_name);
+ *psid_name_use = map.sid_name_use;
+ return True;
+ }
+ }
gid = pdb_user_rid_to_gid(rid);
gr = getgrgid(gid);
@@ -617,13 +631,24 @@ BOOL local_lookup_name(const char *c_domain, const char *c_user, DOM_SID *psid,
/*
* Maybe it was a group ?
*/
- struct group *grp = getgrnam(user);
-
- if(!grp)
- return False;
+ struct group *grp;
+ GROUP_MAP map;
+
+ /* check if it's a mapped group */
+ if (get_group_map_from_ntname(user, &map)) {
+ if (map.gid!=-1) {
+ /* yes it's a mapped group to a valid unix group */
+ sid_copy(&local_sid, &map.sid);
+ *psid_name_use = map.sid_name_use;
+ }
+ } else {
+ grp = getgrnam(user);
+ if(!grp)
+ return False;
- sid_append_rid( &local_sid, pdb_gid_to_group_rid(grp->gr_gid));
- *psid_name_use = SID_NAME_ALIAS;
+ sid_append_rid( &local_sid, pdb_gid_to_group_rid(grp->gr_gid));
+ *psid_name_use = SID_NAME_ALIAS;
+ }
}
sid_copy( psid, &local_sid);
diff --git a/source/rpc_parse/parse_lsa.c b/source/rpc_parse/parse_lsa.c
index 6d5332794f1..10a9efbe49d 100644
--- a/source/rpc_parse/parse_lsa.c
+++ b/source/rpc_parse/parse_lsa.c
@@ -854,6 +854,15 @@ static BOOL lsa_io_sid_enum(char *desc, LSA_SID_ENUM *sen, prs_struct *ps,
return False;
if(!prs_uint32("ptr_sid_enum", ps, depth, &sen->ptr_sid_enum))
return False;
+
+ /*
+ if the ptr is NULL, leave here. checked from a real w2k trace.
+ JFM, 11/23/2001
+ */
+
+ if (sen->ptr_sid_enum==0)
+ return True;
+
if(!prs_uint32("num_entries2", ps, depth, &sen->num_entries2))
return False;
diff --git a/source/rpc_server/srv_lsa_nt.c b/source/rpc_server/srv_lsa_nt.c
index f221582d862..03d48aa5e79 100644
--- a/source/rpc_server/srv_lsa_nt.c
+++ b/source/rpc_server/srv_lsa_nt.c
@@ -543,7 +543,7 @@ NTSTATUS _lsa_enum_privs(pipes_struct *p, LSA_Q_ENUM_PRIVS *q_u, LSA_R_ENUM_PRIV
return NT_STATUS_INVALID_HANDLE;
if (enum_context >= PRIV_ALL_INDEX)
- return NT_STATUS_UNABLE_TO_FREE_VM;
+ return NT_STATUS_NO_MORE_ENTRIES;
entries = (LSA_PRIV_ENTRY *)talloc_zero(p->mem_ctx, sizeof(LSA_PRIV_ENTRY) * (PRIV_ALL_INDEX));
if (entries==NULL)
@@ -625,6 +625,9 @@ NTSTATUS _lsa_enum_accounts(pipes_struct *p, LSA_Q_ENUM_ACCOUNTS *q_u, LSA_R_ENU
if(!enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED))
return NT_STATUS_OK;
+ if (q_u->enum_context >= num_entries)
+ return NT_STATUS_NO_MORE_ENTRIES;
+
sids->ptr_sid = (uint32 *)talloc_zero(p->mem_ctx, (num_entries-q_u->enum_context)*sizeof(uint32));
sids->sid = (DOM_SID2 *)talloc_zero(p->mem_ctx, (num_entries-q_u->enum_context)*sizeof(DOM_SID2));
@@ -707,7 +710,7 @@ NTSTATUS _lsa_open_account(pipes_struct *p, LSA_Q_OPENACCOUNT *q_u, LSA_R_OPENAC
}
/***************************************************************************
-
+ For a given SID, enumerate all the privilege this account has.
***************************************************************************/
NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, LSA_Q_ENUMPRIVSACCOUNT *q_u, LSA_R_ENUMPRIVSACCOUNT *r_u)
@@ -729,7 +732,7 @@ NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, LSA_Q_ENUMPRIVSACCOUNT *q_u, LS
return NT_STATUS_NO_SUCH_GROUP;
for (i=1; privs[i].se_priv!=SE_PRIV_ALL; i++) {
- if ( (map.privilege & privs[i].se_priv) == privs[i].se_priv) {
+ if ( check_priv_in_privilege(map.privileges, privs[i].se_priv)) {
set=(LUID_ATTR *)talloc_realloc(p->mem_ctx, set, (count+1)*sizeof(LUID_ATTR));
if (set == NULL) return NT_STATUS_NO_MEMORY;
@@ -738,8 +741,7 @@ NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, LSA_Q_ENUMPRIVSACCOUNT *q_u, LS
set[count].luid.high=1;
set[count].attr=0;
- count++;
-
+ count++;
}
}
diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c
index c872c9f99fb..f1f3040ba45 100644
--- a/source/rpc_server/srv_samr_nt.c
+++ b/source/rpc_server/srv_samr_nt.c
@@ -810,7 +810,7 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM
/* well-known aliases */
if (sid_equal(sid, &global_sid_Builtin) && !lp_hide_local_users()) {
- enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ALL_MAPPED);
+ enum_group_mapping(SID_NAME_WKN_GRP, &map, (int *)&num_entries, ENUM_ONLY_MAPPED);
if (num_entries != 0) {
*d_grp=(DOMAIN_GRP *)talloc_zero(ctx, num_entries*sizeof(DOMAIN_GRP));
diff --git a/source/utils/smbgroupedit.c b/source/utils/smbgroupedit.c
index 8d99e8e600d..b6138fa5760 100644
--- a/source/utils/smbgroupedit.c
+++ b/source/utils/smbgroupedit.c
@@ -38,7 +38,7 @@ extern int optind;
static void usage(void)
{
if (getuid() == 0) {
- printf("groupedit options\n");
+ printf("smbgroupedit options\n");
} else {
printf("You need to be root to use this tool!\n");
}
@@ -47,6 +47,8 @@ static void usage(void)
printf(" -n group NT group name\n");
printf(" -p privilege only local\n");
printf(" -v list groups\n");
+ printf(" -l long list (include details)\n");
+ printf(" -s short list (default)\n");
printf(" -c SID change group\n");
printf(" -u unix group\n");
printf(" -x group delete this group\n");
@@ -60,16 +62,12 @@ static void usage(void)
**********************************************************/
int addgroup(char *group, enum SID_NAME_USE sid_type, char *ntgroup, char *ntcomment, char *privilege)
{
- uint32 se_priv;
+ uint32 se_priv[PRIV_ALL_INDEX];
gid_t gid;
DOM_SID sid;
fstring string_sid;
fstring name, comment;
-/* convert_priv_from_text(&se_priv, privilege);*/
-
- se_priv=0x0;
-
gid=nametogid(group);
if (gid==-1)
return -1;
@@ -87,6 +85,10 @@ int addgroup(char *group, enum SID_NAME_USE sid_type, char *ntgroup, char *ntcom
else
fstrcpy(comment, ntcomment);
+ init_privilege(se_priv);
+ if (privilege!=NULL)
+ convert_priv_from_text(se_priv, privilege);
+
if(!add_initial_entry(gid, string_sid, sid_type, name, comment, se_priv))
return -1;
@@ -101,7 +103,7 @@ int changegroup(char *sid_string, char *group, enum SID_NAME_USE sid_type, char
DOM_SID sid;
GROUP_MAP map;
gid_t gid;
- uint32 se_priv;
+ uint32 se_priv[PRIV_ALL_INDEX];
string_to_sid(&sid, sid_string);
@@ -139,8 +141,10 @@ int changegroup(char *sid_string, char *group, enum SID_NAME_USE sid_type, char
/* Change the privilege if new one */
if (privilege!=NULL) {
- convert_priv_from_text(&se_priv, privilege);
- map.privilege=se_priv;
+ int i;
+ convert_priv_from_text(se_priv, privilege);
+ for(i=0; i<PRIV_ALL_INDEX; i++)
+ map.privileges[i]=se_priv[i];
}
if (!add_mapping_entry(&map, TDB_REPLACE)) {
@@ -169,7 +173,7 @@ BOOL deletegroup(char *group)
/*********************************************************
List the groups.
**********************************************************/
-int listgroup(enum SID_NAME_USE sid_type)
+int listgroup(enum SID_NAME_USE sid_type, BOOL long_list)
{
int entries,i;
GROUP_MAP *map=NULL;
@@ -177,7 +181,8 @@ int listgroup(enum SID_NAME_USE sid_type)
fstring group_type;
fstring priv_text;
- printf("Unix\tSID\ttype\tnt name\tnt comment\tprivilege\n");
+ if (!long_list)
+ printf("NT group (SID) -> Unix group\n");
if (!enum_group_mapping(sid_type, &map, &entries, ENUM_ALL_MAPPED))
return -1;
@@ -185,10 +190,18 @@ int listgroup(enum SID_NAME_USE sid_type)
for (i=0; i<entries; i++) {
decode_sid_name_use(group_type, (map[i]).sid_name_use);
sid_to_string(string_sid, &map[i].sid);
- convert_priv_to_text(map[i].privilege, priv_text);
-
- printf("%s\t%s\t%s\n\t%s\t%s\t%s\n\n", gidtoname(map[i].gid), map[i].nt_name, string_sid,
- group_type, map[i].comment, priv_text);
+ convert_priv_to_text(map[i].privileges, priv_text);
+
+ if (!long_list)
+ printf("%s (%s) -> %s\n", map[i].nt_name, string_sid, gidtoname(map[i].gid));
+ else {
+ printf("%s\n", map[i].nt_name);
+ printf("\tSID : %s\n", string_sid);
+ printf("\tUnix group: %s\n", gidtoname(map[i].gid));
+ printf("\tGroup type: %s\n", group_type);
+ printf("\tComment : %s\n", map[i].comment);
+ printf("\tPrivilege : %s\n\n", priv_text);
+ }
}
return 0;
@@ -207,7 +220,8 @@ int main (int argc, char **argv)
BOOL nt_group = False;
BOOL priv = False;
BOOL group_type = False;
-
+ BOOL long_list = False;
+
char *group = NULL;
char *sid = NULL;
char *ntgroup = NULL;
@@ -235,7 +249,7 @@ int main (int argc, char **argv)
exit(1);
}
- while ((ch = getopt(argc, argv, "a:c:d:n:p:t:u:vx:")) != EOF) {
+ while ((ch = getopt(argc, argv, "a:c:d:ln:p:st:u:vx:")) != EOF) {
switch(ch) {
case 'a':
add_group = True;
@@ -248,6 +262,9 @@ int main (int argc, char **argv)
case 'd':
group_desc=optarg;
break;
+ case 'l':
+ long_list = True;
+ break;
case 'n':
nt_group = True;
ntgroup=optarg;
@@ -256,6 +273,9 @@ int main (int argc, char **argv)
priv = True;
privilege=optarg;
break;
+ case 's':
+ long_list = False;
+ break;
case 't':
group_type = True;
groupt=optarg;
@@ -325,7 +345,7 @@ int main (int argc, char **argv)
return addgroup(group, sid_type, ntgroup, group_desc, privilege);
if (view_group)
- return listgroup(sid_type);
+ return listgroup(sid_type, long_list);
if (delete_group)
return deletegroup(group);