svn commit: samba r6918 - in trunk/source: include printing registry

Fri May 20 05:26:59 GMT 2005

Author: jerry
Date: 2005-05-20 05:26:59 +0000 (Fri, 20 May 2005)
New Revision: 6918

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=6918

Log:
* fixed final issue when restoring printers to a Windows host
  from a printmig.exe backup file of a Samba server.

When smbd generates a default sd for a printer, it formally 
included join the generic bits in the ACE.  Samba would always
map the specific bits in the access mask for a request for
checking against the generic bits.

Apparently, the windows spooler does not perform this
mapping of specific to generic bits internally.  Hence
this is why i was always getting access denied on the open
printer calls for the local printer object after the restore.
There really were no access bits that the spooler would look
at to give me access.

So the main change here is modify the definition 
of the PRINTER_ACE_XXX macros in rpc_spoolss.h
to include the specific bits as well as the generic 
ones.



Modified:
   trunk/source/include/rpc_spoolss.h
   trunk/source/printing/nt_printing.c
   trunk/source/registry/reg_printing.c


Changeset:
Modified: trunk/source/include/rpc_spoolss.h
===================================================================

--- trunk/source/include/rpc_spoolss.h	2005-05-20 03:33:36 UTC (rev 6917)
+++ trunk/source/include/rpc_spoolss.h	2005-05-20 05:26:59 UTC (rev 6918)
@@ -170,13 +170,6 @@
 #define JOB_STATUS_BLOCKED		0x0200
 #define JOB_STATUS_USER_INTERVENTION	0x0400
 
-/* ACE masks for the various print permissions */
-
-#define PRINTER_ACE_FULL_CONTROL      GENERIC_ALL_ACCESS
-#define PRINTER_ACE_MANAGE_DOCUMENTS  READ_CONTROL_ACCESS
-#define PRINTER_ACE_PRINT             \
-    (GENERIC_READ_ACCESS | GENERIC_WRITE_ACCESS | GENERIC_EXECUTE_ACCESS)
-
 /* Access rights for print servers */
 #define SERVER_ALL_ACCESS	STANDARD_RIGHTS_REQUIRED_ACCESS|SERVER_ACCESS_ADMINISTER|SERVER_ACCESS_ENUMERATE
 #define SERVER_READ		STANDARD_RIGHTS_READ_ACCESS|SERVER_ACCESS_ENUMERATE
@@ -195,6 +188,13 @@
 #define JOB_WRITE	STANDARD_RIGHTS_WRITE_ACCESS|JOB_ACCESS_ADMINISTER
 #define JOB_EXECUTE	STANDARD_RIGHTS_EXECUTE_ACCESS|JOB_ACCESS_ADMINISTER
 
+/* ACE masks for the various print permissions */
+
+#define PRINTER_ACE_FULL_CONTROL      (GENERIC_ALL_ACCESS|PRINTER_ALL_ACCESS)
+#define PRINTER_ACE_MANAGE_DOCUMENTS  READ_CONTROL_ACCESS
+#define PRINTER_ACE_PRINT             (READ_CONTROL_ACCESS|PRINTER_ACCESS_USE)
+
+
 /* Notify field types */
 
 #define NOTIFY_ONE_VALUE 1		/* Notify data is stored in value1 */

Modified: trunk/source/printing/nt_printing.c
===================================================================
--- trunk/source/printing/nt_printing.c	2005-05-20 03:33:36 UTC (rev 6917)
+++ trunk/source/printing/nt_printing.c	2005-05-20 05:26:59 UTC (rev 6918)
@@ -3930,7 +3930,7 @@
 	SEC_ACL *psa = NULL;
 	SEC_DESC_BUF *sdb = NULL;
 	SEC_DESC *psd = NULL;
-	DOM_SID owner_sid;
+	DOM_SID owner_sid, group_sid;
 	size_t sd_size;
 
 	/* Create an ACE where Everyone is allowed to print */
@@ -3942,18 +3942,21 @@
 	/* Make the security descriptor owned by the Administrators group
 	   on the PDC of the domain. */
 
-	if (secrets_fetch_domain_sid(lp_workgroup(), &owner_sid)) {
-		sid_append_rid(&owner_sid, DOMAIN_USER_RID_ADMIN);
+	if (secrets_fetch_domain_sid(lp_workgroup(), &group_sid)) {
+		sid_append_rid(&group_sid, DOMAIN_USER_RID_ADMIN);
 	} else {
 
 		/* Backup plan - make printer owned by admins.
  		   This should emulate a lanman printer as security
  		   settings can't be changed. */
 
-		sid_copy(&owner_sid, get_global_sam_sid());
-		sid_append_rid(&owner_sid, DOMAIN_USER_RID_ADMIN);
+		sid_copy(&group_sid, get_global_sam_sid());
+		sid_append_rid(&group_sid, DOMAIN_USER_RID_ADMIN);
 	}
 
+	sid_copy( &owner_sid, &global_sid_Builtin_Administrators );
+
+
 	init_sec_access(&sa, PRINTER_ACE_FULL_CONTROL);
 	init_sec_ace(&ace[i++], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
 		     sa, SEC_ACE_FLAG_OBJECT_INHERIT |
@@ -3988,7 +3991,7 @@
 
 	if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) != NULL) {
 		psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE,
-				    &owner_sid, NULL,
+				    &owner_sid, &group_sid,
 				    NULL, psa, &sd_size);
 	}
 

Modified: trunk/source/registry/reg_printing.c
===================================================================
--- trunk/source/registry/reg_printing.c	2005-05-20 03:33:36 UTC (rev 6917)
+++ trunk/source/registry/reg_printing.c	2005-05-20 05:26:59 UTC (rev 6918)
@@ -560,6 +560,11 @@
 		for (snum=0; snum<n_services; snum++) {
 			if ( !(lp_snum_ok(snum) && lp_print_ok(snum) ) )
 				continue;
+
+			/* don't report the [printers] share */
+
+			if ( strequal( lp_servicename(snum), PRINTERS_NAME ) )
+				continue;
 				
 			fstrcpy( sname, lp_servicename(snum) );
 				

