sddl: Fix incorrect SDDL SID strings

Change the values to match those used by Windows.

Verified with PowerShell commands of the form:
New-Object Security.Principal.SecurityIdentifier ER

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

3 files changed, 7 insertions, 6 deletions

diff --git a/libcli/security/sddl.c b/libcli/security/sddl.c
index 26049ec458a..046a9284f5e 100644
--- a/libcli/security/sddl.c
+++ b/libcli/security/sddl.c
@@ -104,7 +104,6 @@ static const struct {
 	{ .code = "SY", .sid = SID_NT_SYSTEM },
 	{ .code = "LS", .sid = SID_NT_LOCAL_SERVICE },
 	{ .code = "NS", .sid = SID_NT_NETWORK_SERVICE },
-	{ .code = "IS", .sid = SID_NT_IUSR },
 
 	{ .code = "BA", .sid = SID_BUILTIN_ADMINISTRATORS },
 	{ .code = "BU", .sid = SID_BUILTIN_USERS },
@@ -121,11 +120,15 @@ static const struct {
 	{ .code = "NO", .sid = SID_BUILTIN_NETWORK_CONF_OPERATORS },
 	{ .code = "IF", .sid = SID_BUILTIN_INCOMING_FOREST_TRUST },
 
+	{ .code = "IS", .sid = SID_BUILTIN_IUSERS },
+	{ .code = "ER", .sid = SID_BUILTIN_EVENT_LOG_READERS },
+
+	{ .code = "RO", .sid = NULL, .rid = DOMAIN_RID_ENTERPRISE_READONLY_DCS },
+
 	{ .code = "LA", .sid = NULL, .rid = DOMAIN_RID_ADMINISTRATOR },
 	{ .code = "LG", .sid = NULL, .rid = DOMAIN_RID_GUEST },
 	{ .code = "LK", .sid = NULL, .rid = DOMAIN_RID_KRBTGT },
 
-	{ .code = "ER", .sid = NULL, .rid = DOMAIN_RID_ENTERPRISE_READONLY_DCS },
 	{ .code = "DA", .sid = NULL, .rid = DOMAIN_RID_ADMINS },
 	{ .code = "DU", .sid = NULL, .rid = DOMAIN_RID_USERS },
 	{ .code = "DG", .sid = NULL, .rid = DOMAIN_RID_GUESTS },
@@ -135,7 +138,6 @@ static const struct {
 	{ .code = "SA", .sid = NULL, .rid = DOMAIN_RID_SCHEMA_ADMINS },
 	{ .code = "EA", .sid = NULL, .rid = DOMAIN_RID_ENTERPRISE_ADMINS },
 	{ .code = "PA", .sid = NULL, .rid = DOMAIN_RID_POLICY_ADMINS },
-	{ .code = "RO", .sid = NULL, .rid = DOMAIN_RID_READONLY_DCS },
 	{ .code = "RS", .sid = NULL, .rid = DOMAIN_RID_RAS_SERVERS }
 };
 
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 9845becd826..0736cf18725 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -274,6 +274,7 @@ interface security
 	const string SID_BUILTIN_AUTH_ACCESS 		= "S-1-5-32-560";
 	const string SID_BUILTIN_TS_LICENSE_SERVERS	= "S-1-5-32-561";
 	const string SID_BUILTIN_DISTRIBUTED_COM_USERS	= "S-1-5-32-562";
+	const string SID_BUILTIN_IUSERS		= "S-1-5-32-568";
 	const string SID_BUILTIN_CRYPTO_OPERATORS	= "S-1-5-32-569";
 	const string SID_BUILTIN_EVENT_LOG_READERS	= "S-1-5-32-573";
 	const string SID_BUILTIN_CERT_SERV_DCOM_ACCESS	= "S-1-5-32-574";
@@ -344,6 +345,7 @@ interface security
 	const int BUILTIN_RID_AUTH_ACCESS		= 560;
 	const int BUILTIN_RID_TS_LICENSE_SERVERS	= 561;
 	const int BUILTIN_RID_DISTRIBUTED_COM_USERS	= 562;
+	const int BUILTIN_RID_IUSERS			= 568;
 	const int BUILTIN_RID_CRYPTO_OPERATORS		= 569;
 	const int BUILTIN_RID_EVENT_LOG_READERS		= 573;
 	const int BUILTIN_RID_CERT_SERV_DCOM_ACCESS	= 574;
diff --git a/selftest/knownfail.d/sid-strings b/selftest/knownfail.d/sid-strings
index ac7683b8a55..87fa4eb15f7 100644
--- a/selftest/knownfail.d/sid-strings
+++ b/selftest/knownfail.d/sid-strings
@@ -8,12 +8,10 @@
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_CN.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_CY.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_EK.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_ER.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_ES.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_HA.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_HI.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_IF.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_IS.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_KA.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_LK.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_LU.ad_dc
@@ -25,7 +23,6 @@
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_OW.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_RA.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_RM.ad_dc
-^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_RO.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_SI.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_SS.ad_dc
 ^samba.tests.sid_strings.samba.tests.sid_strings.SidStringTests.test_sid_string_WR.ad_dc