[SCM] Samba Shared Repository - branch master updated
Jeremy Allison
jra at samba.org
Fri Aug 31 23:08:02 MDT 2012
The branch, master has been updated
via d5f845c s3: Make an if statement a bit easier to read
via 5e0365d Now SEC_RIGHTS_PRIV_RESTORE and SEC_RIGHTS_PRIV_BACKUP don't include any generic bits (they're used directly in the fileserver where the generic bits have already been mapped into file specific bits) we need to add the generic bits to the test when we have these privileges.
via 6550bc0 Rewrite torture_samba3_rpc_sharesec() to use a non-privileged user for share security descriptor testing.
via 64e57a1 Add a comment showing where to set log level in tests.
via 4645564 Change the S3 fileserver over to se_file_access_check().
via 2b89e1a Factor out privilege checking code into se_file_access_check() which takes a bool priv_open_requested parameter.
via 69d925d SEC_RIGHTS_DIR_PRIV_BACKUP and SEC_RIGHTS_DIR_PRIV_RESTORE aren't used anywhere. Remove (can re-add if needed).
from 4d7dad1 s4-dsdb: Remove unused variables
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d5f845c0d3ca185181760bce3731d31a71db4f32
Author: Volker Lendecke <vl at samba.org>
Date: Fri Aug 31 14:11:45 2012 +0200
s3: Make an if statement a bit easier to read
Fix indentation a bit
Signed-off-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Sep 1 07:07:12 CEST 2012 on sn-devel-104
commit 5e0365dfe891f556eed180bc44ac7120c37141fb
Author: Jeremy Allison <jra at samba.org>
Date: Fri Aug 31 14:42:21 2012 -0700
Now SEC_RIGHTS_PRIV_RESTORE and SEC_RIGHTS_PRIV_BACKUP don't include any generic bits (they're used directly in the fileserver where the generic bits have already been mapped into file specific bits) we need to add the generic bits to the test when we have these privileges.
Mark samba4.base.maximum_allowed knownfail until we implement NTCREATEX_OPTIONS_BACKUP_INTENT.
commit 6550bc0d26278ce96a2a752231efef274c0dcf12
Author: Jeremy Allison <jra at samba.org>
Date: Fri Aug 31 12:42:16 2012 -0700
Rewrite torture_samba3_rpc_sharesec() to use a non-privileged user for share security descriptor testing.
commit 64e57a1770b61593082ddd1191f26fa314ddafcd
Author: Jeremy Allison <jra at samba.org>
Date: Fri Aug 31 12:41:48 2012 -0700
Add a comment showing where to set log level in tests.
commit 46455642a78f7a1c60f56dec8ad907d0cfd326ea
Author: Jeremy Allison <jra at samba.org>
Date: Mon Aug 27 16:07:32 2012 -0700
Change the S3 fileserver over to se_file_access_check().
Don't set the priv_open_requested yet until the open-for-backup
request is correctly passed in.
commit 2b89e1a20a6c726e5c3219a944143f0beb7c5920
Author: Jeremy Allison <jra at samba.org>
Date: Mon Aug 27 15:41:18 2012 -0700
Factor out privilege checking code into se_file_access_check() which takes a bool priv_open_requested parameter.
commit 69d925d110a23e9f1cf9e6013729eb611b8ab58a
Author: Jeremy Allison <jra at samba.org>
Date: Mon Aug 27 14:15:35 2012 -0700
SEC_RIGHTS_DIR_PRIV_BACKUP and SEC_RIGHTS_DIR_PRIV_RESTORE aren't used anywhere. Remove (can re-add if needed).
Ensure the privilege rights are always specific rights, not generic.
By the time the privilege rights are examined, we've already mapped
from generic to specific in the access_mask.
-----------------------------------------------------------------------
Summary of changes:
libcli/security/access_check.c | 86 +++++++++++++++++++++++---
libcli/security/access_check.h | 11 ++++
librpc/idl/security.idl | 15 ++---
selftest/knownfail | 1 +
selftest/target/Samba4.pm | 3 +
source3/lib/sharesec.c | 2 +-
source3/smbd/open.c | 20 ++++---
source4/torture/basic/denytest.c | 31 ++++++++-
source4/torture/rpc/samba3rpc.c | 123 +++++++++++++++++++++++++++++++++-----
source4/torture/rpc/testjoin.c | 74 +++++++++++++++++++++++
10 files changed, 320 insertions(+), 46 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/security/access_check.c b/libcli/security/access_check.c
index 7f08cb5..9153dad 100644
--- a/libcli/security/access_check.c
+++ b/libcli/security/access_check.c
@@ -274,16 +274,6 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
}
}
- /* TODO: remove this, as it is file server specific */
- if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
- security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
- bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
- }
- if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
- security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
- bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
- }
-
if ((bits_remaining & SEC_STD_WRITE_OWNER) &&
security_token_has_privilege(token, SEC_PRIV_TAKE_OWNERSHIP)) {
bits_remaining &= ~(SEC_STD_WRITE_OWNER);
@@ -298,6 +288,82 @@ done:
return NT_STATUS_OK;
}
+/*
+ The main entry point for access checking FOR THE FILE SERVER ONLY !
+ If returning ACCESS_DENIED this function returns the denied bits in
+ the uint32_t pointed to by the access_granted pointer.
+*/
+NTSTATUS se_file_access_check(const struct security_descriptor *sd,
+ const struct security_token *token,
+ bool priv_open_requested,
+ uint32_t access_desired,
+ uint32_t *access_granted)
+{
+ uint32_t bits_remaining;
+ NTSTATUS status;
+
+ if (!priv_open_requested) {
+ /* Fall back to generic se_access_check(). */
+ return se_access_check(sd,
+ token,
+ access_desired,
+ access_granted);
+ }
+
+ /*
+ * We need to handle the maximum allowed flag
+ * outside of se_access_check(), as we need to
+ * add in the access allowed by the privileges
+ * as well.
+ */
+
+ if (access_desired & SEC_FLAG_MAXIMUM_ALLOWED) {
+ uint32_t orig_access_desired = access_desired;
+
+ access_desired |= access_check_max_allowed(sd, token);
+ access_desired &= ~SEC_FLAG_MAXIMUM_ALLOWED;
+
+ if (security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
+ access_desired |= SEC_RIGHTS_PRIV_BACKUP;
+ }
+
+ if (security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
+ access_desired |= SEC_RIGHTS_PRIV_RESTORE;
+ }
+
+ DEBUG(10,("se_file_access_check: MAX desired = 0x%x "
+ "mapped to 0x%x\n",
+ orig_access_desired,
+ access_desired));
+ }
+
+ status = se_access_check(sd,
+ token,
+ access_desired,
+ access_granted);
+
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ return status;
+ }
+
+ bits_remaining = *access_granted;
+
+ /* Check if we should override with privileges. */
+ if ((bits_remaining & SEC_RIGHTS_PRIV_BACKUP) &&
+ security_token_has_privilege(token, SEC_PRIV_BACKUP)) {
+ bits_remaining &= ~(SEC_RIGHTS_PRIV_BACKUP);
+ }
+ if ((bits_remaining & SEC_RIGHTS_PRIV_RESTORE) &&
+ security_token_has_privilege(token, SEC_PRIV_RESTORE)) {
+ bits_remaining &= ~(SEC_RIGHTS_PRIV_RESTORE);
+ }
+ if (bits_remaining != 0) {
+ *access_granted = bits_remaining;
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ return NT_STATUS_OK;
+}
static const struct GUID *get_ace_object_type(struct security_ace *ace)
{
diff --git a/libcli/security/access_check.h b/libcli/security/access_check.h
index dccc117..84b2e5f 100644
--- a/libcli/security/access_check.h
+++ b/libcli/security/access_check.h
@@ -54,6 +54,17 @@ NTSTATUS se_access_check(const struct security_descriptor *sd,
uint32_t access_desired,
uint32_t *access_granted);
+/*
+ The main entry point for access checking FOR THE FILE SERVER ONLY !
+ If returning ACCESS_DENIED this function returns the denied bits in
+ the uint32_t pointed to by the access_granted pointer.
+*/
+NTSTATUS se_file_access_check(const struct security_descriptor *sd,
+ const struct security_token *token,
+ bool priv_open_requested,
+ uint32_t access_desired,
+ uint32_t *access_granted);
+
/* modified access check for the purposes of DS security
* Lots of code duplication, it will ve united in just one
* function eventually */
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 5973fc5..33085c4 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -147,19 +147,18 @@ interface security
const int SEC_RIGHTS_DIR_ALL = SEC_RIGHTS_FILE_ALL;
/* rights granted by some specific privileges */
- const int SEC_RIGHTS_PRIV_BACKUP = SEC_STD_READ_CONTROL |
+ const int SEC_RIGHTS_PRIV_BACKUP = SEC_STD_READ_CONTROL |
SEC_FLAG_SYSTEM_SECURITY |
- SEC_GENERIC_READ;
- const int SEC_RIGHTS_DIR_PRIV_BACKUP = SEC_RIGHTS_PRIV_BACKUP
- | SEC_DIR_TRAVERSE;
+ SEC_RIGHTS_FILE_READ |
+ SEC_DIR_TRAVERSE;
- const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC |
+ const int SEC_RIGHTS_PRIV_RESTORE = SEC_STD_WRITE_DAC |
SEC_STD_WRITE_OWNER |
SEC_FLAG_SYSTEM_SECURITY |
- SEC_STD_DELETE;
- const int SEC_RIGHTS_DIR_PRIV_RESTORE = SEC_RIGHTS_PRIV_RESTORE |
+ SEC_RIGHTS_FILE_WRITE |
SEC_DIR_ADD_FILE |
- SEC_DIR_ADD_SUBDIR;
+ SEC_DIR_ADD_SUBDIR |
+ SEC_STD_DELETE;
/* combinations of standard masks. */
const int STANDARD_RIGHTS_ALL_ACCESS = SEC_STD_ALL; /* 0x001f0000 */
diff --git a/selftest/knownfail b/selftest/knownfail
index 93f1dfc..4e6eb43 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -93,6 +93,7 @@
^samba4.rpc.samr.passwords.badpwdcount # Not provided by Samba 4 yet
^samba4.rpc.samr.passwords.lockout
^samba4.base.charset.*.Testing partial surrogate
+^samba4.*.base.maximum_allowed # broken until we implement NTCREATEX_OPTIONS_BACKUP_INTENT
.*net.api.delshare.* # DelShare isn't implemented yet
^samba4.rap.*netservergetinfo
^samba4.rap.*netsessionenum
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 21b8dcf..fb437d7 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -456,6 +456,9 @@ sub provision_raw_prepare($$$$$$$$$$)
$ctx->{password} = $password;
$ctx->{kdc_ipv4} = $kdc_ipv4;
+#
+# Set smbd log level here.
+#
$ctx->{server_loglevel} =$ENV{SERVER_LOG_LEVEL} || 1;
$ctx->{username} = "Administrator";
$ctx->{domain} = $domain;
diff --git a/source3/lib/sharesec.c b/source3/lib/sharesec.c
index 978edf2..c7a8e51 100644
--- a/source3/lib/sharesec.c
+++ b/source3/lib/sharesec.c
@@ -451,7 +451,7 @@ bool share_access_check(const struct security_token *token,
return false;
}
- status = se_access_check(psd, token, desired_access, &granted);
+ status = se_file_access_check(psd, token, true, desired_access, &granted);
TALLOC_FREE(psd);
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 415f6ad..381f3b5 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -129,11 +129,12 @@ NTSTATUS smbd_check_access_rights(struct connection_struct *conn,
}
/*
- * Never test FILE_READ_ATTRIBUTES. se_access_check() also takes care of
+ * Never test FILE_READ_ATTRIBUTES. se_file_access_check() also takes care of
* owner WRITE_DAC and READ_CONTROL.
*/
- status = se_access_check(sd,
+ status = se_file_access_check(sd,
get_current_nttok(conn),
+ false,
(access_mask & ~FILE_READ_ATTRIBUTES),
&rejected_mask);
@@ -245,11 +246,12 @@ static NTSTATUS check_parent_access(struct connection_struct *conn,
}
/*
- * Never test FILE_READ_ATTRIBUTES. se_access_check() also takes care of
+ * Never test FILE_READ_ATTRIBUTES. se_file_access_check() also takes care of
* owner WRITE_DAC and READ_CONTROL.
*/
- status = se_access_check(parent_sd,
+ status = se_file_access_check(parent_sd,
get_current_nttok(conn),
+ false,
(access_mask & ~FILE_READ_ATTRIBUTES),
&access_granted);
if(!NT_STATUS_IS_OK(status)) {
@@ -1681,11 +1683,12 @@ static NTSTATUS smbd_calculate_maximum_allowed_access(
}
/*
- * Never test FILE_READ_ATTRIBUTES. se_access_check()
+ * Never test FILE_READ_ATTRIBUTES. se_file_access_check()
* also takes care of owner WRITE_DAC and READ_CONTROL.
*/
- status = se_access_check(sd,
+ status = se_file_access_check(sd,
get_current_nttok(conn),
+ false,
(*p_access_mask & ~FILE_READ_ATTRIBUTES),
&access_granted);
@@ -2008,8 +2011,9 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn,
/* We only care about matching attributes on file exists and
* overwrite. */
- if (!posix_open && file_existed && ((create_disposition == FILE_OVERWRITE) ||
- (create_disposition == FILE_OVERWRITE_IF))) {
+ if (!posix_open && file_existed &&
+ ((create_disposition == FILE_OVERWRITE) ||
+ (create_disposition == FILE_OVERWRITE_IF))) {
if (!open_match_attributes(conn, existing_dos_attributes,
new_dos_attributes,
smb_fname->st.st_ex_mode,
diff --git a/source4/torture/basic/denytest.c b/source4/torture/basic/denytest.c
index 2e21c83..69717be 100644
--- a/source4/torture/basic/denytest.c
+++ b/source4/torture/basic/denytest.c
@@ -2687,7 +2687,7 @@ bool torture_maximum_allowed(struct torture_context *tctx,
NTSTATUS status;
union smb_fileinfo q;
const char *owner_sid;
- bool has_restore_privilege, has_backup_privilege;
+ bool has_restore_privilege, has_backup_privilege, has_system_security_privilege;
mem_ctx = talloc_init("torture_maximum_allowed");
@@ -2747,18 +2747,41 @@ bool torture_maximum_allowed(struct torture_context *tctx,
owner_sid,
has_backup_privilege?"Yes":"No");
+ status = torture_check_privilege(cli,
+ owner_sid,
+ sec_privilege_name(SEC_PRIV_SECURITY));
+ has_system_security_privilege = NT_STATUS_IS_OK(status);
+ torture_comment(tctx, "Checked SEC_PRIV_SECURITY for %s - %s\n",
+ owner_sid,
+ has_system_security_privilege?"Yes":"No");
+
smbcli_close(cli->tree, fnum);
for (i = 0; i < 32; i++) {
uint32_t mask = SEC_FLAG_MAXIMUM_ALLOWED | (1u << i);
- uint32_t ok_mask = SEC_RIGHTS_FILE_READ | SEC_GENERIC_READ |
+ /*
+ * SEC_GENERIC_EXECUTE is a complete subset of
+ * SEC_GENERIC_READ when mapped to specific bits,
+ * so we need to include it in the basic OK mask.
+ */
+ uint32_t ok_mask = SEC_RIGHTS_FILE_READ | SEC_GENERIC_READ | SEC_GENERIC_EXECUTE |
SEC_STD_DELETE | SEC_STD_WRITE_DAC;
+ /*
+ * Now SEC_RIGHTS_PRIV_RESTORE and SEC_RIGHTS_PRIV_BACKUP
+ * don't include any generic bits (they're used directly
+ * in the fileserver where the generic bits have already
+ * been mapped into file specific bits) we need to add the
+ * generic bits to the ok_mask when we have these privileges.
+ */
if (has_restore_privilege) {
- ok_mask |= SEC_RIGHTS_PRIV_RESTORE;
+ ok_mask |= SEC_RIGHTS_PRIV_RESTORE|SEC_GENERIC_WRITE;
}
if (has_backup_privilege) {
- ok_mask |= SEC_RIGHTS_PRIV_BACKUP;
+ ok_mask |= SEC_RIGHTS_PRIV_BACKUP|SEC_GENERIC_READ;
+ }
+ if (has_system_security_privilege) {
+ ok_mask |= SEC_FLAG_SYSTEM_SECURITY;
}
/* Skip all SACL related tests. */
diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c
index e2c8b66..f7968b1 100644
--- a/source4/torture/rpc/samba3rpc.c
+++ b/source4/torture/rpc/samba3rpc.c
@@ -2391,36 +2391,129 @@ bool try_tcon(struct torture_context *tctx,
static bool torture_samba3_rpc_sharesec(struct torture_context *torture)
{
- struct smbcli_state *cli;
- struct security_descriptor *sd;
- struct dom_sid *user_sid;
+ struct smbcli_state *cli = NULL;
+ struct security_descriptor *sd = NULL;
+ struct dom_sid *user_sid = NULL;
+ const char *testuser_passwd = NULL;
+ struct cli_credentials *test_credentials = NULL;
+ struct smbcli_options options;
+ struct smbcli_session_options session_options;
+ NTSTATUS status;
+ struct test_join *tj = NULL;
+ struct dcerpc_pipe *lsa_pipe = NULL;
+ const char *priv_array[1];
+
+ /* Create a new user. The normal user has SeBackup and SeRestore
+ privs so we can't lock them out with a share security descriptor. */
+ tj = torture_create_testuser(torture,
+ "sharesec_user",
+ torture_setting_string(torture, "workgroup", NULL),
+ ACB_NORMAL,
+ &testuser_passwd);
+ if (!tj) {
+ torture_fail(torture, "Creating sharesec_user failed\n");
+ }
+
+ /* Give them SeDiskOperatorPrivilege but no other privs. */
+ status = torture_rpc_connection(torture, &lsa_pipe, &ndr_table_lsarpc);
+ if (!NT_STATUS_IS_OK(status)) {
+ torture_delete_testuser(torture, tj, "sharesec_user");
+ talloc_free(tj);
+ torture_fail(torture, "Error connecting to LSA pipe");
+ }
+
+ priv_array[0] = "SeDiskOperatorPrivilege";
+ if (!torture_setup_privs(torture,
+ lsa_pipe,
+ 1,
+ priv_array,
+ torture_join_user_sid(tj))) {
+ talloc_free(lsa_pipe);
+ torture_delete_testuser(torture, tj, "sharesec_user");
+ talloc_free(tj);
+ torture_fail(torture, "Failed to setup privs\n");
+ }
+ talloc_free(lsa_pipe);
- if (!(torture_open_connection_share(
- torture, &cli, torture, torture_setting_string(torture, "host", NULL),
- "IPC$", torture->ev))) {
- torture_fail(torture, "IPC$ connection failed\n");
+ test_credentials = cli_credentials_init(torture);
+ cli_credentials_set_workstation(test_credentials, "localhost", CRED_SPECIFIED);
+ cli_credentials_set_domain(test_credentials, lpcfg_workgroup(torture->lp_ctx),
+ CRED_SPECIFIED);
+ cli_credentials_set_username(test_credentials, "sharesec_user", CRED_SPECIFIED);
+ cli_credentials_set_password(test_credentials, testuser_passwd, CRED_SPECIFIED);
+
+ ZERO_STRUCT(options);
+ ZERO_STRUCT(session_options);
+ lpcfg_smbcli_options(torture->lp_ctx, &options);
+ lpcfg_smbcli_session_options(torture->lp_ctx, &session_options);
+
+ status = smbcli_full_connection(torture,
+ &cli,
+ torture_setting_string(torture, "host", NULL),
+ lpcfg_smb_ports(torture->lp_ctx),
+ "IPC$",
+ NULL,
+ lpcfg_socket_options(torture->lp_ctx),
+ test_credentials,
+ lpcfg_resolve_context(torture->lp_ctx),
+ torture->ev,
+ &options,
+ &session_options,
+ lpcfg_gensec_settings(torture, torture->lp_ctx));
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(cli);
+ torture_delete_testuser(torture, tj, "sharesec_user");
+ talloc_free(tj);
+ torture_fail(torture, "Failed to open connection\n");
}
if (!(user_sid = whoami(torture, torture, cli->tree))) {
+ talloc_free(cli);
+ torture_delete_testuser(torture, tj, "sharesec_user");
+ talloc_free(tj);
torture_fail(torture, "whoami failed\n");
}
sd = get_sharesec(torture, torture, cli->session,
torture_setting_string(torture, "share", NULL));
- torture_assert(torture, try_tcon(
- torture, torture, sd, cli->session,
+ if (!try_tcon(torture, torture, sd, cli->session,
torture_setting_string(torture, "share", NULL),
- user_sid, 0, NT_STATUS_ACCESS_DENIED, NT_STATUS_OK),
- "failed to test tcon with 0 access_mask");
+ user_sid, 0, NT_STATUS_ACCESS_DENIED, NT_STATUS_OK)) {
+ talloc_free(cli);
+ torture_delete_testuser(torture, tj, "sharesec_user");
+ talloc_free(tj);
+ torture_fail(torture, "failed to test tcon with 0 access_mask");
+ }
- torture_assert(torture, try_tcon(
- torture, torture, sd, cli->session,
+ if (!try_tcon(torture, torture, sd, cli->session,
torture_setting_string(torture, "share", NULL),
user_sid, SEC_FILE_READ_DATA, NT_STATUS_OK,
- NT_STATUS_MEDIA_WRITE_PROTECTED),
- "failed to test tcon with SEC_FILE_READ_DATA access_mask");
+ NT_STATUS_MEDIA_WRITE_PROTECTED)) {
+ talloc_free(cli);
+ torture_delete_testuser(torture, tj, "sharesec_user");
+ talloc_free(tj);
+ torture_fail(torture, "failed to test tcon with SEC_FILE_READ_DATA access_mask");
+ }
+
+ /* sharesec_user doesn't have any rights on the underlying file system.
+ Go back to the normal user. */
+
+ talloc_free(cli);
+ cli = NULL;
+ torture_delete_testuser(torture, tj, "sharesec_user");
+ talloc_free(tj);
+ tj = NULL;
+
+ if (!(torture_open_connection_share(
+ torture, &cli, torture, torture_setting_string(torture, "host", NULL),
+ "IPC$", torture->ev))) {
+ torture_fail(torture, "IPC$ connection failed\n");
+ }
+ if (!(user_sid = whoami(torture, torture, cli->tree))) {
+ torture_fail(torture, "whoami failed\n");
+ }
torture_assert(torture, try_tcon(
torture, torture, sd, cli->session,
torture_setting_string(torture, "share", NULL),
diff --git a/source4/torture/rpc/testjoin.c b/source4/torture/rpc/testjoin.c
index eb49b8e..e546508 100644
--- a/source4/torture/rpc/testjoin.c
+++ b/source4/torture/rpc/testjoin.c
@@ -29,6 +29,7 @@
#include "../lib/crypto/crypto.h"
#include "libnet/libnet.h"
#include "lib/cmdline/popt_common.h"
+#include "librpc/gen_ndr/ndr_lsa_c.h"
#include "librpc/gen_ndr/ndr_samr_c.h"
#include "libcli/auth/libcli_auth.h"
@@ -394,6 +395,79 @@ failed:
return NULL;
}
+/*
+ * Set privileges on an account.
+ */
+
+static void init_lsa_StringLarge(struct lsa_StringLarge *name, const char *s)
+{
+ name->string = s;
+}
+static void init_lsa_String(struct lsa_String *name, const char *s)
+{
+ name->string = s;
+}
+
+bool torture_setup_privs(struct torture_context *tctx,
+ struct dcerpc_pipe *p,
+ uint32_t num_privs,
+ const char **privs,
+ const struct dom_sid *user_sid)
+{
+ struct dcerpc_binding_handle *b = p->binding_handle;
--
Samba Shared Repository
More information about the samba-cvs
mailing list