return NT_STATUS_NO_MEMORY;
}
- sid_compose(&guest_sid, get_global_sam_sid(), DOMAIN_USER_RID_GUEST);
+ sid_compose(&guest_sid, get_global_sam_sid(), DOMAIN_RID_GUEST);
become_root();
ret = pdb_getsampwsid(sampass, &guest_sid);
} else {
sid_copy(&domadm, dom_sid);
}
- sid_append_rid( &domadm, DOMAIN_GROUP_RID_ADMINS );
+ sid_append_rid( &domadm, DOMAIN_RID_ADMINS );
/* Add Administrators if the user beloongs to Domain Admins */
/* add domain users */
if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER))
- && sid_compose(&dom_users, dom_sid, DOMAIN_GROUP_RID_USERS))
+ && sid_compose(&dom_users, dom_sid, DOMAIN_RID_USERS))
{
status = add_sid_to_builtin(&global_sid_Builtin_Users,
&dom_users);
/* add domain admins */
if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER))
- && sid_compose(&dom_admins, dom_sid, DOMAIN_GROUP_RID_ADMINS))
+ && sid_compose(&dom_admins, dom_sid, DOMAIN_RID_ADMINS))
{
status = add_sid_to_builtin(&global_sid_Builtin_Administrators,
&dom_admins);
sid_copy(&group_sids[0], &user_sid);
sid_split_rid(&group_sids[0], &dummy);
- sid_append_rid(&group_sids[0], DOMAIN_GROUP_RID_USERS);
+ sid_append_rid(&group_sids[0], DOMAIN_RID_USERS);
if (!sid_to_gid(&group_sids[0], gid)) {
DEBUG(1, ("sid_to_gid(%s) failed\n",
sid_peek_rid( &sid, &rid );
- if ( rid == DOMAIN_GROUP_RID_USERS ) {
+ if ( rid == DOMAIN_RID_USERS ) {
fstrcpy( map->nt_name, "None" );
fstrcpy( map->comment, "Ordinary Users" );
sid_copy( &map->sid, &sid );
* well-known RIDs - Relative IDs
**********************************************************************/
-/* RIDs - Well-known users ... */
-#define DOMAIN_USER_RID_ADMIN (0x000001F4L)
-#define DOMAIN_USER_RID_GUEST (0x000001F5L)
-#define DOMAIN_USER_RID_KRBTGT (0x000001F6L)
-
-/* RIDs - well-known groups ... */
-#define DOMAIN_GROUP_RID_ADMINS (0x00000200L)
-#define DOMAIN_GROUP_RID_USERS (0x00000201L)
-#define DOMAIN_GROUP_RID_GUESTS (0x00000202L)
-#define DOMAIN_GROUP_RID_COMPUTERS (0x00000203L)
-
-#define DOMAIN_GROUP_RID_CONTROLLERS (0x00000204L)
-#define DOMAIN_GROUP_RID_CERT_ADMINS (0x00000205L)
-#define DOMAIN_GROUP_RID_SCHEMA_ADMINS (0x00000206L)
-#define DOMAIN_GROUP_RID_ENTERPRISE_ADMINS (0x00000207L)
-
-/* is the following the right number? I bet it is --simo
-#define DOMAIN_GROUP_RID_POLICY_ADMINS (0x00000208L)
-*/
-
/* RIDs - well-known aliases ... */
#define BUILTIN_ALIAS_RID_ADMINS (0x00000220L)
#define BUILTIN_ALIAS_RID_USERS (0x00000221L)
/* Special case for the guest account which must have a RID of 501 */
if ( strequal( pwd->pw_name, guest_account ) ) {
- if ( !pdb_set_user_sid_from_rid(user, DOMAIN_USER_RID_GUEST, PDB_DEFAULT)) {
+ if ( !pdb_set_user_sid_from_rid(user, DOMAIN_RID_GUEST, PDB_DEFAULT)) {
return NT_STATUS_NO_SUCH_USER;
}
return NT_STATUS_OK;
{
if ( rid_is_well_known(rid) ) {
/*
- * The only well known user RIDs are DOMAIN_USER_RID_ADMIN
- * and DOMAIN_USER_RID_GUEST.
+ * The only well known user RIDs are DOMAIN_RID_ADMINISTRATOR
+ * and DOMAIN_RID_GUEST.
*/
- if(rid == DOMAIN_USER_RID_ADMIN || rid == DOMAIN_USER_RID_GUEST)
+ if(rid == DOMAIN_RID_ADMINISTRATOR || rid == DOMAIN_RID_GUEST)
return True;
} else if((rid & RID_TYPE_MASK) == USER_RID_TYPE) {
return True;
the group already exists. */
if ( strequal( name, "None" ) ) {
- *rid = DOMAIN_GROUP_RID_USERS;
+ *rid = DOMAIN_RID_USERS;
*type = SID_NAME_DOM_GRP;
return True;
/* Just set it to the 'Domain Users' RID of 513 which will
always resolve to a name */
- sid_compose(gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_USERS);
+ sid_compose(gsid, get_global_sam_sid(), DOMAIN_RID_USERS);
sampass->group_sid = gsid;
/* if we cannot resolve the SID to gid, then just ignore it and
store DOMAIN_USERS as the primary groupSID */
- sid_compose(&dug_sid, get_global_sam_sid(), DOMAIN_GROUP_RID_USERS);
+ sid_compose(&dug_sid, get_global_sam_sid(), DOMAIN_RID_USERS);
if (sid_equal(&dug_sid, g_sid)) {
sid_copy(sampass->group_sid, &dug_sid);
if ( !sid_peek_check_rid( get_global_sam_sid(), sid, &rid ) )
return False;
- if ( rid == DOMAIN_USER_RID_GUEST ) {
+ if ( rid == DOMAIN_RID_GUEST ) {
DEBUG(6,("pdb_getsampwsid: Building guest account\n"));
return guest_user_info( sam_acct );
}
sid_peek_rid( sid, &rid );
- if ( rid == DOMAIN_GROUP_RID_USERS ) {
+ if ( rid == DOMAIN_RID_USERS ) {
*p_num_members = 0;
*pp_member_rids = NULL;
return False;
}
- if ( rid == DOMAIN_GROUP_RID_USERS ) {
+ if ( rid == DOMAIN_RID_USERS ) {
*name = talloc_strdup(mem_ctx, "None" );
*psid_name_use = SID_NAME_DOM_GRP;
DEBUG(3,("ldapsam_create_user: Creating new posix user\n"));
/* retrieve the Domain Users group gid */
- if (!sid_compose(&group_sid, get_global_sam_sid(), DOMAIN_GROUP_RID_USERS) ||
+ if (!sid_compose(&group_sid, get_global_sam_sid(), DOMAIN_RID_USERS) ||
!sid_to_gid(&group_sid, &gid)) {
DEBUG (0, ("ldapsam_create_user: Unable to get the Domain Users gid: bailing out!\n"));
return NT_STATUS_INVALID_PRIMARY_GROUP;
rid = pdb_get_user_rid(sampass);
/* If the user specified a RID, make sure its able to be both stored and retreived */
- if (rid == DOMAIN_USER_RID_GUEST) {
+ if (rid == DOMAIN_RID_GUEST) {
struct passwd *passwd = getpwnam_alloc(NULL, lp_guestaccount());
if (!passwd) {
DEBUG(0, ("Could not find guest account via getpwnam()! (%s)\n", lp_guestaccount()));
return NT_STATUS_UNSUCCESSFUL;
/* More special case 'guest account' hacks... */
- if (rid == DOMAIN_USER_RID_GUEST) {
+ if (rid == DOMAIN_RID_GUEST) {
const char *guest_account = lp_guestaccount();
if (!(guest_account && *guest_account)) {
DEBUG(1, ("Guest account not specfied!\n"));
DOM_SID domadmins_sid;
sid_compose(&domadmins_sid, get_global_sam_sid(),
- DOMAIN_GROUP_RID_ADMINS);
+ DOMAIN_RID_ADMINS);
sa = PRINTER_ACE_FULL_CONTROL;
init_sec_ace(&ace[i++], &domadmins_sid,
sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
}
else if (secrets_fetch_domain_sid(lp_workgroup(), &adm_sid)) {
- sid_append_rid(&adm_sid, DOMAIN_USER_RID_ADMIN);
+ sid_append_rid(&adm_sid, DOMAIN_RID_ADMINISTRATOR);
sa = PRINTER_ACE_FULL_CONTROL;
init_sec_ace(&ace[i++], &adm_sid,
DOM_SID domadmins_sid;
sid_compose(&domadmins_sid, get_global_sam_sid(),
- DOMAIN_GROUP_RID_ADMINS);
+ DOMAIN_RID_ADMINS);
sa = PRINTER_ACE_FULL_CONTROL;
init_sec_ace(&ace[i++], &domadmins_sid,
sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
}
else if (secrets_fetch_domain_sid(lp_workgroup(), &adm_sid)) {
- sid_append_rid(&adm_sid, DOMAIN_USER_RID_ADMIN);
+ sid_append_rid(&adm_sid, DOMAIN_RID_ADMINISTRATOR);
sa = PRINTER_ACE_FULL_CONTROL;
init_sec_ace(&ace[i++], &adm_sid,
/* Create new sd */
- sid_append_rid(&owner_sid, DOMAIN_USER_RID_ADMIN);
+ sid_append_rid(&owner_sid, DOMAIN_RID_ADMINISTRATOR);
psd = make_sec_desc(ctx, (*secdesc_ctr)->sd->revision, (*secdesc_ctr)->sd->type,
&owner_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
/* Add Full Access for Domain Admins */
- sid_compose(&adm_sid, get_global_sam_sid(), DOMAIN_GROUP_RID_ADMINS);
+ sid_compose(&adm_sid, get_global_sam_sid(), DOMAIN_RID_ADMINS);
init_sec_ace(&ace[i++], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
map->generic_all, 0);
if ( IS_DC ) {
sid_compose(&domadmin_sid, get_global_sam_sid(),
- DOMAIN_GROUP_RID_ADMINS);
+ DOMAIN_RID_ADMINS);
init_sec_ace(&ace[i++], &domadmin_sid,
SEC_ACE_TYPE_ACCESS_ALLOWED, map->generic_all, 0);
}
if ( IS_DC ) {
DOM_SID domadmin_sid;
sid_compose(&domadmin_sid, get_global_sam_sid(),
- DOMAIN_GROUP_RID_ADMINS);
+ DOMAIN_RID_ADMINS);
if (is_sid_in_token(nt_token, &domadmin_sid)) {
*pacc_requested |= GENERIC_ALL_ACCESS;
return;
}
/*
* Cheat - allow GENERIC_RIGHTS_USER_WRITE if pipe user is
- * in DOMAIN_GROUP_RID_ADMINS. This is almost certainly not
+ * in DOMAIN_RID_ADMINS. This is almost certainly not
* what Windows does but is a hack for people who haven't
* set up privileges on groups in Samba.
*/
if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
if (lp_enable_privileges() && nt_token_check_domain_rid(p->server_info->ptok,
- DOMAIN_GROUP_RID_ADMINS)) {
+ DOMAIN_RID_ADMINS)) {
des_access &= ~GENERIC_RIGHTS_USER_WRITE;
extra_access = GENERIC_RIGHTS_USER_WRITE;
DEBUG(4,("_samr_OpenUser: Allowing "
se_priv_copy(&se_rights, &se_priv_none);
can_add_account = nt_token_check_domain_rid(
p->server_info->ptok,
- DOMAIN_GROUP_RID_ADMINS );
+ DOMAIN_RID_ADMINS );
}
DEBUG(5, ("_samr_CreateUser2: %s can add this account : %s\n",
size_t size;
/* Create new sd */
- sid_append_rid(&owner_sid, DOMAIN_USER_RID_ADMIN);
+ sid_append_rid(&owner_sid, DOMAIN_RID_ADMINISTRATOR);
new_secdesc = make_sec_desc(tmp_ctx,
secdesc->revision,
if ((p->server_info->utok.uid != sec_initial_uid()) &&
( ! nt_token_check_domain_rid(p->server_info->ptok,
- DOMAIN_GROUP_RID_ADMINS))) {
+ DOMAIN_RID_ADMINS))) {
goto done;
}
}
if (!user_has_privileges(token, &se_machine_account) &&
- !nt_token_check_domain_rid(token, DOMAIN_GROUP_RID_ADMINS) &&
+ !nt_token_check_domain_rid(token, DOMAIN_RID_ADMINS) &&
!nt_token_check_sid(&global_sid_Builtin_Administrators, token)) {
DEBUG(5,("_wkssvc_NetrJoinDomain2: account doesn't have "
"sufficient privileges\n"));
}
if (!user_has_privileges(token, &se_machine_account) &&
- !nt_token_check_domain_rid(token, DOMAIN_GROUP_RID_ADMINS) &&
+ !nt_token_check_domain_rid(token, DOMAIN_RID_ADMINS) &&
!nt_token_check_sid(&global_sid_Builtin_Administrators, token)) {
DEBUG(5,("_wkssvc_NetrUnjoinDomain2: account doesn't have "
"sufficient privileges\n"));
for ( i=0; i<argc; i++ ) {
if ( !StrnCaseCmp(argv[i], "rid", strlen("rid")) ) {
rid = get_int_param(argv[i]);
- if ( rid < DOMAIN_GROUP_RID_ADMINS ) {
+ if ( rid < DOMAIN_RID_ADMINS ) {
d_fprintf(stderr,
_("RID must be greater than %d\n"),
- (uint32)DOMAIN_GROUP_RID_ADMINS-1);
+ (uint32)DOMAIN_RID_ADMINS-1);
return -1;
}
}
d_printf(_("Checking for Domain Users group.\n"));
- sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_USERS);
+ sid_compose(&gsid, get_global_sam_sid(), DOMAIN_RID_USERS);
if (!pdb_getgrsid(&gmap, gsid)) {
LDAPMod **mods = NULL;
d_printf(_("Checking for Domain Admins group.\n"));
- sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_ADMINS);
+ sid_compose(&gsid, get_global_sam_sid(), DOMAIN_RID_ADMINS);
if (!pdb_getgrsid(&gmap, gsid)) {
LDAPMod **mods = NULL;
goto failed;
}
- sid_compose(&sid, get_global_sam_sid(), DOMAIN_USER_RID_ADMIN);
+ sid_compose(&sid, get_global_sam_sid(), DOMAIN_RID_ADMINISTRATOR);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_ACCOUNT);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXACCOUNT);
}
}
- sid_compose(&sid, get_global_sam_sid(), DOMAIN_USER_RID_GUEST);
+ sid_compose(&sid, get_global_sam_sid(), DOMAIN_RID_GUEST);
dn = talloc_asprintf(tc, "uid=%s,%s", pwd->pw_name, lp_ldap_user_suffix ());
uidstr = talloc_asprintf(tc, "%u", (unsigned int)pwd->pw_uid);
goto failed;
}
- sid_compose(&gsid, get_global_sam_sid(), DOMAIN_GROUP_RID_GUESTS);
+ sid_compose(&gsid, get_global_sam_sid(), DOMAIN_RID_GUESTS);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_POSIXGROUP);
smbldap_set_mod(&mods, LDAP_MOD_ADD, "objectClass", LDAP_OBJ_GROUPMAP);
/* Assume "Domain Users" for the primary group */
- sid_compose(&info->group_sid, &domain->sid, DOMAIN_GROUP_RID_USERS );
+ sid_compose(&info->group_sid, &domain->sid, DOMAIN_RID_USERS );
/* Try to fill in what the nss_info backend can do */
DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get password properties.\n"));
}
- if ((my_info3->base.rid != DOMAIN_USER_RID_ADMIN) ||
+ if ((my_info3->base.rid != DOMAIN_RID_ADMINISTRATOR) ||
(password_properties & DOMAIN_PASSWORD_LOCKOUT_ADMINS)) {
my_info3->base.acct_flags |= ACB_AUTOLOCK;
}
something like that. */
sid_compose(&(*info)[i].group_sid, &domain->sid,
- DOMAIN_GROUP_RID_USERS);
+ DOMAIN_RID_USERS);
}
TALLOC_FREE(ps);
something like that. */
sid_compose(&dst->group_sid, &domain->sid,
- DOMAIN_GROUP_RID_USERS);
+ DOMAIN_RID_USERS);
}
} while (NT_STATUS_EQUAL(result, STATUS_MORE_ENTRIES));