diff options
author | Tim Prouty <tim.prouty@isilon.com> | 2008-07-23 20:42:32 -0700 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2008-07-30 14:06:15 -0700 |
commit | bbb02aa8e925774532376b6a6218a4cbbb708c38 (patch) | |
tree | 2527938c1150c57f0ec21404447c5170e443c9ea | |
parent | fb41bb762f1d9b1623c4fe6179bebbe4de2e2440 (diff) | |
download | samba-bbb02aa8e925774532376b6a6218a4cbbb708c38.tar.gz samba-bbb02aa8e925774532376b6a6218a4cbbb708c38.tar.bz2 samba-bbb02aa8e925774532376b6a6218a4cbbb708c38.zip |
Refactored the code that adds Domain Admins to BUILTIN\Administrators to use the new helper functions.
- Modified create_builtin_administrators and add_builtin_administrators to take
in the domain sid to reduce the number of times it needs to be looked up.
- Changed create_builtin_administrators to call the new helper functions.
- Changed create_local_nt_token to call the new version of
create_builtin_administrators and handle the new error that can be returned.
- Made it more explicit that add_builtin_administrators is only called when
winbindd can't be pinged.
(This used to be commit f6411ccb4a1530034e481e1c63b6114a93317b29)
-rw-r--r-- | source3/auth/token_util.c | 56 |
1 files changed, 30 insertions, 26 deletions
diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index e41df5d9ae..281741298a 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -165,7 +165,8 @@ done: /******************************************************************* *******************************************************************/ -static NTSTATUS add_builtin_administrators( struct nt_user_token *token ) +static NTSTATUS add_builtin_administrators(struct nt_user_token *token, + const DOM_SID *dom_sid) { DOM_SID domadm; NTSTATUS status; @@ -181,8 +182,7 @@ static NTSTATUS add_builtin_administrators( struct nt_user_token *token ) if ( IS_DC ) { sid_copy( &domadm, get_global_sam_sid() ); } else { - if ( !secrets_fetch_domain_sid( lp_workgroup(), &domadm ) ) - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + sid_copy(&domadm, dom_sid); } sid_append_rid( &domadm, DOMAIN_GROUP_RID_ADMINS ); @@ -292,7 +292,7 @@ static NTSTATUS create_builtin_users(const DOM_SID *dom_sid) /******************************************************************* *******************************************************************/ -static NTSTATUS create_builtin_administrators( void ) +static NTSTATUS create_builtin_administrators(const DOM_SID *dom_sid) { NTSTATUS status; DOM_SID dom_admins, root_sid; @@ -301,7 +301,7 @@ static NTSTATUS create_builtin_administrators( void ) TALLOC_CTX *ctx; bool ret; - status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_ADMINS ); + status = create_builtin(BUILTIN_ALIAS_RID_ADMINS); if ( !NT_STATUS_IS_OK(status) ) { DEBUG(5,("create_builtin_administrators: Failed to create Administrators\n")); return status; @@ -309,10 +309,10 @@ static NTSTATUS create_builtin_administrators( void ) /* add domain admins */ if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) - && secrets_fetch_domain_sid(lp_workgroup(), &dom_admins)) + && sid_compose(&dom_admins, dom_sid, DOMAIN_GROUP_RID_ADMINS)) { - sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS); - status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &dom_admins ); + status = add_sid_to_builtin(&global_sid_Builtin_Administrators, + &dom_admins); if ( !NT_STATUS_IS_OK(status) ) { DEBUG(4,("create_builtin_administrators: Failed to add Domain Admins" " Administrators\n")); @@ -330,7 +330,8 @@ static NTSTATUS create_builtin_administrators( void ) TALLOC_FREE( ctx ); if ( ret ) { - status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &root_sid ); + status = add_sid_to_builtin(&global_sid_Builtin_Administrators, + &root_sid); if ( !NT_STATUS_IS_OK(status) ) { DEBUG(4,("create_builtin_administrators: Failed to add root" " Administrators\n")); @@ -433,27 +434,30 @@ struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, be resolved then assume that the add_aliasmem( S-1-5-32 ) handled it. */ - if ( !sid_to_gid( &global_sid_Builtin_Administrators, &gid ) ) { - /* We can only create a mapping if winbind is running - and the nested group functionality has been enabled */ + if (!sid_to_gid(&global_sid_Builtin_Administrators, &gid)) { - if ( lp_winbind_nested_groups() && winbind_ping() ) { - become_root(); - status = create_builtin_administrators( ); - if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(2,("WARNING: Failed to create BUILTIN\\Administrators " - "group! Can Winbind allocate gids?\n")); - /* don't fail, just log the message */ - } - unbecome_root(); + become_root(); + if (!secrets_fetch_domain_sid(lp_workgroup(), &dom_sid)) { + status = NT_STATUS_OK; + DEBUG(3, ("Failed to fetch domain sid for %s\n", + lp_workgroup())); + } else { + status = create_builtin_administrators(&dom_sid); } - else { - status = add_builtin_administrators( result ); + unbecome_root(); + + if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) { + /* Add BUILTIN\Administrators directly to token. */ + status = add_builtin_administrators(result, &dom_sid); if ( !NT_STATUS_IS_OK(status) ) { - /* just log a complaint but do not fail */ - DEBUG(3,("create_local_nt_token: failed to check for local Administrators" - " membership (%s)\n", nt_errstr(status))); + DEBUG(3, ("Failed to check for local " + "Administrators membership (%s)\n", + nt_errstr(status))); } + } else if (!NT_STATUS_IS_OK(status)) { + DEBUG(2, ("WARNING: Failed to create " + "BUILTIN\\Administrators group! Can " + "Winbind allocate gids?\n")); } } |