summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2009-05-29 17:12:06 +1000
committerAndrew Bartlett <abartlet@samba.org>2009-05-29 17:12:06 +1000
commit227553f904186112e9218c4a7c8b1b46fef5b897 (patch)
tree6b5c7cce1272b310557ed9a4680db403e0359d26
parentb83f84c8c3be1ce0319a9f36704e3bf4718e159f (diff)
downloadsamba-227553f904186112e9218c4a7c8b1b46fef5b897.tar.gz
samba-227553f904186112e9218c4a7c8b1b46fef5b897.tar.bz2
samba-227553f904186112e9218c4a7c8b1b46fef5b897.zip
Win2k3 don't allow creating of domain trust accounts over SAMR
-rw-r--r--source4/rpc_server/samr/dcesrv_samr.c10
-rw-r--r--source4/torture/rpc/samr.c2
2 files changed, 6 insertions, 6 deletions
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index fabc88d02d..ec60ac7a45 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -1213,6 +1213,9 @@ static NTSTATUS dcesrv_samr_CreateUser2(struct dcesrv_call_state *dce_call, TALL
if (d_state->builtin) {
DEBUG(5, ("Cannot create a user in the BUILTIN domain"));
return NT_STATUS_ACCESS_DENIED;
+ } else if (r->in.acct_flags == ACB_DOMTRUST) {
+ /* Domain trust accounts must be created by the LSA calls */
+ return NT_STATUS_ACCESS_DENIED;
}
account_name = r->in.account_name->string;
@@ -1258,6 +1261,7 @@ static NTSTATUS dcesrv_samr_CreateUser2(struct dcesrv_call_state *dce_call, TALL
} else if (r->in.acct_flags == ACB_WSTRUST) {
if (cn_name[cn_name_len - 1] != '$') {
+ ldb_transaction_cancel(d_state->sam_ctx);
return NT_STATUS_FOOBAR;
}
cn_name[cn_name_len - 1] = '\0';
@@ -1267,17 +1271,13 @@ static NTSTATUS dcesrv_samr_CreateUser2(struct dcesrv_call_state *dce_call, TALL
} else if (r->in.acct_flags == ACB_SVRTRUST) {
if (cn_name[cn_name_len - 1] != '$') {
+ ldb_transaction_cancel(d_state->sam_ctx);
return NT_STATUS_FOOBAR;
}
cn_name[cn_name_len - 1] = '\0';
container = "OU=Domain Controllers";
obj_class = "computer";
samdb_msg_add_int(d_state->sam_ctx, mem_ctx, msg, "primaryGroupID", DOMAIN_RID_DCS);
-
- } else if (r->in.acct_flags == ACB_DOMTRUST) {
- container = "CN=Users";
- obj_class = "user";
-
} else {
ldb_transaction_cancel(d_state->sam_ctx);
return NT_STATUS_INVALID_PARAMETER;
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 0072a018c8..a1a60bf5b4 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -4372,7 +4372,7 @@ static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx
{ ACB_SVRTRUST, TEST_MACHINENAME, NT_STATUS_OK },
{ ACB_SVRTRUST | ACB_DISABLED, TEST_MACHINENAME, NT_STATUS_INVALID_PARAMETER },
{ ACB_SVRTRUST | ACB_PWNOEXP, TEST_MACHINENAME, NT_STATUS_INVALID_PARAMETER },
- { ACB_DOMTRUST, TEST_DOMAINNAME, NT_STATUS_OK },
+ { ACB_DOMTRUST, TEST_DOMAINNAME, NT_STATUS_ACCESS_DENIED },
{ ACB_DOMTRUST | ACB_DISABLED, TEST_DOMAINNAME, NT_STATUS_INVALID_PARAMETER },
{ ACB_DOMTRUST | ACB_PWNOEXP, TEST_DOMAINNAME, NT_STATUS_INVALID_PARAMETER },
{ 0, TEST_ACCOUNT_NAME, NT_STATUS_INVALID_PARAMETER },