From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 14 Mar 2022 05:18:09 +0000 (+1300)
Subject: sddl: Add new SDDL SID strings
X-Git-Tag: tevent-0.12.0~389
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=732d17a129ab0f48d0025f5992af38d442b1fc6a;p=thirdparty%2Fsamba.git

sddl: Add new SDDL SID strings

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---

diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c
index 046a9284f5e..5f7d70be980 100644
--- a/libcli/security/sddl.c
+++ b/libcli/security/sddl.c
@@ -92,6 +92,7 @@ static const struct {
 
 	{ .code = "CO", .sid = SID_CREATOR_OWNER },
 	{ .code = "CG", .sid = SID_CREATOR_GROUP },
+	{ .code = "OW", .sid = SID_OWNER_RIGHTS },
 
 	{ .code = "NU", .sid = SID_NT_NETWORK },
 	{ .code = "IU", .sid = SID_NT_INTERACTIVE },
@@ -104,6 +105,7 @@ static const struct {
 	{ .code = "SY", .sid = SID_NT_SYSTEM },
 	{ .code = "LS", .sid = SID_NT_LOCAL_SERVICE },
 	{ .code = "NS", .sid = SID_NT_NETWORK_SERVICE },
+	{ .code = "WR", .sid = SID_SECURITY_RESTRICTED_CODE },
 
 	{ .code = "BA", .sid = SID_BUILTIN_ADMINISTRATORS },
 	{ .code = "BU", .sid = SID_BUILTIN_USERS },
@@ -120,8 +122,31 @@ static const struct {
 	{ .code = "NO", .sid = SID_BUILTIN_NETWORK_CONF_OPERATORS },
 	{ .code = "IF", .sid = SID_BUILTIN_INCOMING_FOREST_TRUST },
 
+	{ .code = "MU", .sid = SID_BUILTIN_PERFMON_USERS },
+	{ .code = "LU", .sid = SID_BUILTIN_PERFLOG_USERS },
 	{ .code = "IS", .sid = SID_BUILTIN_IUSERS },
+	{ .code = "CY", .sid = SID_BUILTIN_CRYPTO_OPERATORS },
 	{ .code = "ER", .sid = SID_BUILTIN_EVENT_LOG_READERS },
+	{ .code = "CD", .sid = SID_BUILTIN_CERT_SERV_DCOM_ACCESS },
+	{ .code = "RA", .sid = SID_BUILTIN_RDS_REMOTE_ACCESS_SERVERS },
+	{ .code = "ES", .sid = SID_BUILTIN_RDS_ENDPOINT_SERVERS },
+	{ .code = "MS", .sid = SID_BUILTIN_RDS_MANAGEMENT_SERVERS },
+	{ .code = "HA", .sid = SID_BUILTIN_HYPER_V_ADMINS },
+	{ .code = "AA", .sid = SID_BUILTIN_ACCESS_CONTROL_ASSISTANCE_OPS },
+	{ .code = "RM", .sid = SID_BUILTIN_REMOTE_MANAGEMENT_USERS },
+
+	{ .code = "UD", .sid = SID_USER_MODE_DRIVERS },
+
+	{ .code = "AC", .sid = SID_SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE },
+
+	{ .code = "LW", .sid = SID_SECURITY_MANDATORY_LOW },
+	{ .code = "ME", .sid = SID_SECURITY_MANDATORY_MEDIUM },
+	{ .code = "MP", .sid = SID_SECURITY_MANDATORY_MEDIUM_PLUS },
+	{ .code = "HI", .sid = SID_SECURITY_MANDATORY_HIGH },
+	{ .code = "SI", .sid = SID_SECURITY_MANDATORY_SYSTEM },
+
+	{ .code = "AS", .sid = SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY },
+	{ .code = "SS", .sid = SID_SERVICE_ASSERTED_IDENTITY },
 
 	{ .code = "RO", .sid = NULL, .rid = DOMAIN_RID_ENTERPRISE_READONLY_DCS },
 
@@ -138,6 +163,13 @@ static const struct {
 	{ .code = "SA", .sid = NULL, .rid = DOMAIN_RID_SCHEMA_ADMINS },
 	{ .code = "EA", .sid = NULL, .rid = DOMAIN_RID_ENTERPRISE_ADMINS },
 	{ .code = "PA", .sid = NULL, .rid = DOMAIN_RID_POLICY_ADMINS },
+
+	{ .code = "CN", .sid = NULL, .rid = DOMAIN_RID_CLONEABLE_CONTROLLERS },
+
+	{ .code = "AP", .sid = NULL, .rid = DOMAIN_RID_PROTECTED_USERS },
+	{ .code = "KA", .sid = NULL, .rid = DOMAIN_RID_KEY_ADMINS },
+	{ .code = "EK", .sid = NULL, .rid = DOMAIN_RID_ENTERPRISE_KEY_ADMINS },
+
 	{ .code = "RS", .sid = NULL, .rid = DOMAIN_RID_RAS_SERVERS }
 };
 
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 0736cf18725..6b867595a28 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -278,6 +278,14 @@ interface security
 	const string SID_BUILTIN_CRYPTO_OPERATORS	= "S-1-5-32-569";
 	const string SID_BUILTIN_EVENT_LOG_READERS	= "S-1-5-32-573";
 	const string SID_BUILTIN_CERT_SERV_DCOM_ACCESS	= "S-1-5-32-574";
+	const string SID_BUILTIN_RDS_REMOTE_ACCESS_SERVERS	= "S-1-5-32-575";
+	const string SID_BUILTIN_RDS_ENDPOINT_SERVERS	= "S-1-5-32-576";
+	const string SID_BUILTIN_RDS_MANAGEMENT_SERVERS	= "S-1-5-32-577";
+	const string SID_BUILTIN_HYPER_V_ADMINS	= "S-1-5-32-578";
+	const string SID_BUILTIN_ACCESS_CONTROL_ASSISTANCE_OPS	= "S-1-5-32-579";
+	const string SID_BUILTIN_REMOTE_MANAGEMENT_USERS	= "S-1-5-32-580";
+
+	const string SID_SECURITY_RESTRICTED_CODE = "S-1-5-33";
 
 	/* UID/GID mapping Samba style */
 	const string SID_SAMBA_UNIX_USER_OWNER		= "S-1-22-1";
@@ -296,6 +304,16 @@ interface security
 	const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496";
 	const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497";
 
+	const string SID_USER_MODE_DRIVERS = "S-1-5-84-0-0-0-0-0";
+
+	const string SID_SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE = "S-1-15-2-1";
+
+	const string SID_SECURITY_MANDATORY_LOW = "S-1-16-4096";
+	const string SID_SECURITY_MANDATORY_MEDIUM = "S-1-16-8192";
+	const string SID_SECURITY_MANDATORY_MEDIUM_PLUS = "S-1-16-8448";
+	const string SID_SECURITY_MANDATORY_HIGH = "S-1-16-12288";
+	const string SID_SECURITY_MANDATORY_SYSTEM = "S-1-16-16384";
+
 	/*
 	 * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
 	 */
@@ -321,6 +339,10 @@ interface security
 	const int DOMAIN_RID_ENTERPRISE_ADMINS       = 519;
 	const int DOMAIN_RID_POLICY_ADMINS           = 520;
 	const int DOMAIN_RID_READONLY_DCS            = 521;
+	const int DOMAIN_RID_CLONEABLE_CONTROLLERS   = 522;
+	const int DOMAIN_RID_PROTECTED_USERS         = 525;
+	const int DOMAIN_RID_KEY_ADMINS              = 526;
+	const int DOMAIN_RID_ENTERPRISE_KEY_ADMINS   = 527;
 	const int DOMAIN_RID_RAS_SERVERS             = 553;
 	const int DOMAIN_RID_RODC_ALLOW              = 571;
 	const int DOMAIN_RID_RODC_DENY               = 572;
@@ -349,6 +371,12 @@ interface security
 	const int BUILTIN_RID_CRYPTO_OPERATORS		= 569;
 	const int BUILTIN_RID_EVENT_LOG_READERS		= 573;
 	const int BUILTIN_RID_CERT_SERV_DCOM_ACCESS	= 574;
+	const int BUILTIN_RID_RDS_REMOTE_ACCESS_SERVERS	= 575;
+	const int BUILTIN_RID_RDS_ENDPOINT_SERVERS	= 576;
+	const int BUILTIN_RID_RDS_MANAGEMENT_SERVERS	= 577;
+	const int BUILTIN_RID_HYPER_V_ADMINS	= 578;
+	const int BUILTIN_RID_ACCESS_CONTROL_ASSISTANCE_OPS	= 579;
+	const int BUILTIN_RID_REMOTE_MANAGEMENT_USERS	= 580;
 
 /********************************************************************
  This is a list of privileges reported by a WIndows 2008 R2 DC
diff --git a/selftest/knownfail.d/sid-strings b/selftest/knownfail.d/sid-strings
index 87fa4eb15f7..a9cefedc8a2 100644
--- a/selftest/knownfail.d/sid-strings
+++ b/selftest/knownfail.d/sid-strings
@@ -1,30 +1,6 @@
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_AA.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_AC.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_AP.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_AS.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_Aa.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_BR.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_CD.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_CN.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_CY.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_EK.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_ES.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_HA.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_HI.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_IF.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_KA.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_LK.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_LU.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_LW.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_ME.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_MP.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_MS.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_MU.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_OW.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_RA.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_RM.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_SI.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_SS.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_WR.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_aA.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_aa.ad_dc