From 8894edc00c2629f8c75f5655390a4fcf6ffea75b Mon Sep 17 00:00:00 2001
From: Gerald Carter <jerry@samba.org>
Date: Fri, 28 Jan 2005 17:24:52 +0000
Subject: [PATCH] r5059: last set of changes for 3.0.11rc1; includes
 Administrator sid_to_name() fix, samr access checks, and deprecated
 parameters/tools

---
 WHATSNEW.txt                    | 51 ++++++++++++++++++++---------------------
 source/include/rpc_lsa.h        |  2 +-
 source/include/rpc_secdes.h     |  5 +++-
 source/include/smb.h            |  2 +-
 source/param/loadparm.c         |  2 +-
 source/passdb/passdb.c          |  6 +++++
 source/rpc_server/srv_lsa_nt.c  | 22 +++++++++++++-----
 source/rpc_server/srv_samr_nt.c |  8 +++----
 source/utils/testprns.c         |  3 +++
 9 files changed, 61 insertions(+), 40 deletions(-)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 19416db47ed..dee91a009c5 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -16,25 +16,6 @@ Common bugs fixed in 3.0.11rc1 include:
     structure returned from domain controllers.
     
 
-Administrator Domain SID
-------------------------
-
-Please note that when configured as a DC, it is now required 
-that an account in the server's passdb backend be set to the 
-domain SID of the default Administrator account.  To obtain the 
-domain SID on a Samba DC, run the following command:
-
-root# net getlocalsid
-SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299
-
-You may then assign the Domain Administrator rid to an account 
-via pdbedit:
-
-root# pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 \
--u root -r
-
-
-
 ######################################################################
 Changes
 #######
@@ -42,6 +23,14 @@ Changes
 Changes since 3.0.11pre2
 ------------------------
 
+smb.conf changes
+----------------
+
+    Parameter Name                      Action
+    --------------                      ------
+    winbind enable local accounts	Deprecated
+
+
 commits
 -------
 o   Jeremy Allison <jra@samba.org>
@@ -61,13 +50,22 @@ o   Gerald (Jerry) Carter <jerry@samba.org>
     * Fix segfault in cups_queue_get().
     * Tighten restrictions on changing user passwords when 
       the connected user possesses the SeMachineAccountPrivilege.
-    
+    * Ensure we set NETBIOSNAME.domainname for the long machine name
+      when publishing printers in AD (based on input from Rob Foehl).
+    * Mark 'winbind enable local accounts' as deprecated.
+    * Mark testprns tool as deprecated.
+    * Allow root to grant/revoke privilege assignments.
+    * Correct interaction between user rights and se_access_check() on
+      SAMR objects.
+
     
 o   Guenther Deschner <gd@samba.org>
     * Fix configure.in tests using KRB5_CONFIG variable and krb5-
       config utility.
     * Require assignment of Administrator SID in the passdb 
-      backend.  No longer default to 'root' or 'admin users' list.
+      backend.  Fall back to the default name of 'Administrator' if
+      the lookup fails rather than using the first name in the
+      default 'admin users' list.
     * Enhance LDAP failure debug messages.
     
     
@@ -114,8 +112,9 @@ LDAP Changes
 
 If "ldap user suffix" or "ldap machine suffix" are defined in
 smb.conf, all user-accounts must reside below the user suffix,
-and all machine trust-accounts must be located below the machine
-suffix.
+and all machine and inter-domain trust-accounts must be located 
+below the machine suffix.  Previous Samba releases would fall 
+back to searching the 'ldap suffix' in some cases.
 
 
 Privilege Model
@@ -131,8 +130,8 @@ SeDiskOperatorPrivilege    Manage disk shares
 
 These rights can be assigned to arbitrary users or groups
 via the 'net rpc rights grant/revoke' command.  More details
-of Samba's privilege implementation will be available in a
-forthcoming HOWTO. 
+of Samba's privilege implementation can be found in the 
+Samba-HOWTO-Collection.
 
 
 ######################################################################
@@ -156,7 +155,7 @@ o   Jeremy Allison <jra@samba.org>
     * Fixes for libsmbclient to ensure that interrupted system calls
       are restarted minus the already expired portion of the timeout
       (based on work by Derrell Lipman).
-    * More unicode string parsing fixes.
+    * More Unicode string parsing fixes.
     * Convert the winreg pipe to use WERROR returns.
     * Make all LDAP timeouts consistent (input from Joe Meadows 
       <jameadows@webopolis.com>).
diff --git a/source/include/rpc_lsa.h b/source/include/rpc_lsa.h
index a2bc72d2b2e..c0425271b32 100644
--- a/source/include/rpc_lsa.h
+++ b/source/include/rpc_lsa.h
@@ -207,7 +207,7 @@ typedef struct lsa_r_open_pol2_info
                             POLICY_VIEW_AUDIT_INFORMATION    |\
                             POLICY_GET_PRIVATE_INFORMATION)
 
-#define POLICY_WRITE      ( STANDARD_RIGHTS_WRITE_ACCESS     |\
+#define POLICY_WRITE      ( STD_RIGHT_READ_CONTROL_ACCESS     |\
                             POLICY_TRUST_ADMIN               |\
                             POLICY_CREATE_ACCOUNT            |\
                             POLICY_CREATE_SECRET             |\
diff --git a/source/include/rpc_secdes.h b/source/include/rpc_secdes.h
index 1279007220c..3e4c47dce9a 100644
--- a/source/include/rpc_secdes.h
+++ b/source/include/rpc_secdes.h
@@ -251,7 +251,10 @@ typedef struct standard_mapping {
 #define STANDARD_RIGHTS_ALL_ACCESS	STD_RIGHT_ALL_ACCESS /* 0x001f0000 */
 #define STANDARD_RIGHTS_EXECUTE_ACCESS	STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */
 #define STANDARD_RIGHTS_READ_ACCESS	STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */
-#define STANDARD_RIGHTS_WRITE_ACCESS	STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */
+#define STANDARD_RIGHTS_WRITE_ACCESS \
+		(STD_RIGHT_WRITE_OWNER_ACCESS	| \
+		 STD_RIGHT_WRITE_DAC_ACCESS	| \
+		 STD_RIGHT_DELETE_ACCESS)	/* 0x000d0000 */
 #define STANDARD_RIGHTS_REQUIRED_ACCESS \
 		(STD_RIGHT_DELETE_ACCESS	| \
 		STD_RIGHT_READ_CONTROL_ACCESS	| \
diff --git a/source/include/smb.h b/source/include/smb.h
index 913061014db..c8946953785 100644
--- a/source/include/smb.h
+++ b/source/include/smb.h
@@ -1069,7 +1069,7 @@ struct bitmap {
 #define FILE_GENERIC_READ (STANDARD_RIGHTS_READ_ACCESS|FILE_READ_DATA|FILE_READ_ATTRIBUTES|\
 							FILE_READ_EA|SYNCHRONIZE_ACCESS)
 
-#define FILE_GENERIC_WRITE (STANDARD_RIGHTS_WRITE_ACCESS|FILE_WRITE_DATA|FILE_WRITE_ATTRIBUTES|\
+#define FILE_GENERIC_WRITE (STD_RIGHT_READ_CONTROL_ACCESS|FILE_WRITE_DATA|FILE_WRITE_ATTRIBUTES|\
 							FILE_WRITE_EA|FILE_APPEND_DATA|SYNCHRONIZE_ACCESS)
 
 #define FILE_GENERIC_EXECUTE (STANDARD_RIGHTS_EXECUTE_ACCESS|\
diff --git a/source/param/loadparm.c b/source/param/loadparm.c
index 8531b2fdd13..97d9389aa6c 100644
--- a/source/param/loadparm.c
+++ b/source/param/loadparm.c
@@ -1184,7 +1184,7 @@ static struct parm_struct parm_table[] = {
 	{"template shell", P_STRING, P_GLOBAL, &Globals.szTemplateShell, NULL, NULL, FLAG_ADVANCED}, 
 	{"winbind separator", P_STRING, P_GLOBAL, &Globals.szWinbindSeparator, NULL, NULL, FLAG_ADVANCED}, 
 	{"winbind cache time", P_INTEGER, P_GLOBAL, &Globals.winbind_cache_time, NULL, NULL, FLAG_ADVANCED}, 
-	{"winbind enable local accounts", P_BOOL, P_GLOBAL, &Globals.bWinbindEnableLocalAccounts, NULL, NULL, FLAG_ADVANCED}, 
+	{"winbind enable local accounts", P_BOOL, P_GLOBAL, &Globals.bWinbindEnableLocalAccounts, NULL, NULL, FLAG_ADVANCED|FLAG_DEPRECATED}, 
 	{"winbind enum users", P_BOOL, P_GLOBAL, &Globals.bWinbindEnumUsers, NULL, NULL, FLAG_ADVANCED}, 
 	{"winbind enum groups", P_BOOL, P_GLOBAL, &Globals.bWinbindEnumGroups, NULL, NULL, FLAG_ADVANCED}, 
 	{"winbind use default domain", P_BOOL, P_GLOBAL, &Globals.bWinbindUseDefaultDomain, NULL, NULL, FLAG_ADVANCED}, 
diff --git a/source/passdb/passdb.c b/source/passdb/passdb.c
index c7cd59a4c5f..6777149a8a5 100644
--- a/source/passdb/passdb.c
+++ b/source/passdb/passdb.c
@@ -794,6 +794,12 @@ BOOL local_lookup_sid(const DOM_SID *sid, char *name, enum SID_NAME_USE *psid_na
 		return True;
 	}
 
+	if (rid == DOMAIN_USER_RID_ADMIN) {
+		*psid_name_use = SID_NAME_USER;
+		fstrcpy(name, "Administrator");
+		return True;
+	}
+
 	if (algorithmic_pdb_rid_is_user(rid)) {
 		uid_t uid;
 		struct passwd *pw = NULL;
diff --git a/source/rpc_server/srv_lsa_nt.c b/source/rpc_server/srv_lsa_nt.c
index 13053d9877b..da00d2d6c43 100644
--- a/source/rpc_server/srv_lsa_nt.c
+++ b/source/rpc_server/srv_lsa_nt.c
@@ -1134,16 +1134,21 @@ NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u
 	struct lsa_info *info = NULL;
 	SE_PRIV mask;
 	PRIVILEGE_SET *set = NULL;
+	struct current_user user;
 
 	/* find the connection policy handle. */
 	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
 		return NT_STATUS_INVALID_HANDLE;
 		
-	/* check to see if the pipe_user is a Domain Admin since 
+	/* check to see if the pipe_user is root or a Domain Admin since 
 	   account_pol.tdb was already opened as root, this is all we have */
-	   
-	if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+
+	get_current_user( &user, p );
+	if ( user.uid != sec_initial_uid() 
+		&& !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+	{
 		return NT_STATUS_ACCESS_DENIED;
+	}
 
 	set = &q_u->set;
 
@@ -1170,16 +1175,21 @@ NTSTATUS _lsa_removeprivs(pipes_struct *p, LSA_Q_REMOVEPRIVS *q_u, LSA_R_REMOVEP
 	struct lsa_info *info = NULL;
 	SE_PRIV mask;
 	PRIVILEGE_SET *set = NULL;
+	struct current_user user;
 
 	/* find the connection policy handle. */
 	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
 		return NT_STATUS_INVALID_HANDLE;
 
-	/* check to see if the pipe_user is a Domain Admin since 
+	/* check to see if the pipe_user is root or a Domain Admin since 
 	   account_pol.tdb was already opened as root, this is all we have */
-	   
-	if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+
+	get_current_user( &user, p );
+	if ( user.uid != sec_initial_uid()
+		&& !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) 
+	{
 		return NT_STATUS_ACCESS_DENIED;
+	}
 
 	set = &q_u->set;
 
diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c
index 3742e213832..7a1c7b79e38 100644
--- a/source/rpc_server/srv_samr_nt.c
+++ b/source/rpc_server/srv_samr_nt.c
@@ -270,8 +270,8 @@ static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
 		saved_mask = (des_access & rights_mask);
 		des_access &= ~saved_mask;
 		
-		DEBUG(4,("access_check_samr_object: user rights saved access mask [0x%x]\n",
-			saved_mask));
+		DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
+			rights_mask));
 	}
 		
 	
@@ -296,9 +296,9 @@ static NTSTATUS access_check_samr_object( SEC_DESC *psd, NT_USER_TOKEN *token,
 	
 done:
 	/* add in any bits saved during the privilege check (only 
-	   matters is syayus is ok) */
+	   matters is status is ok) */
 	
-	*acc_granted |= saved_mask;
+	*acc_granted |= rights_mask;
 
 	DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n", 
 		debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED", 
diff --git a/source/utils/testprns.c b/source/utils/testprns.c
index 1525ab11d0f..5af40b06d19 100644
--- a/source/utils/testprns.c
+++ b/source/utils/testprns.c
@@ -41,6 +41,9 @@ int main(int argc, char *argv[])
 {
    setup_logging(argv[0],True);
 
+   printf("NOTICE: This program is now deprecated and will be removed \n");
+   printf("in a future Samba release.\n\n");
+
    if (argc != 2)
       printf("Usage: testprns printername\n");
    else
-- 
2.11.4.GIT