diff options
author | Andrew Bartlett <abartlet@samba.org> | 2003-03-21 13:35:15 +0000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2003-03-21 13:35:15 +0000 |
commit | eeae85278106abff538ed672116a81bec29906e3 (patch) | |
tree | f61f14fa74ec239e7bf02e8017713f06d697bf2d | |
parent | 70788c30fb6503a94d83d36eec3dd51a8700c4be (diff) | |
download | samba-eeae85278106abff538ed672116a81bec29906e3.tar.gz samba-eeae85278106abff538ed672116a81bec29906e3.tar.bz2 samba-eeae85278106abff538ed672116a81bec29906e3.zip |
(merge from HEAD)
Give volker a hand, and let domain joins with existing user accounts work
a bit better.
This just sets the minimum possible attributes - if we are 'upgrading' an
LDAP based user account, the attributes will be there anyway. This matches
NT pretty well to.
This also fixes some use of unitialised values in the desired_access checking.
(found by valgrind).
Andrew Bartlett
(This used to be commit 536e24ee5b83eaa77be81dd50e3e1a5010b5abf4)
-rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 40 |
1 files changed, 33 insertions, 7 deletions
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index d766e9c19e..f174114473 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -81,6 +81,7 @@ NTSTATUS access_check_samr_object(SEC_DESC *psd, NT_USER_TOKEN *nt_user_token, u NTSTATUS status = NT_STATUS_ACCESS_DENIED; if (!se_access_check(psd, nt_user_token, des_access, acc_granted, &status)) { + *acc_granted = des_access; if (geteuid() == sec_initial_uid()) { DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access)); @@ -2199,7 +2200,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ uint32 acc_granted; SEC_DESC *psd; size_t sd_size; - uint32 des_access; + uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS; /* Get the domain SID stored in the domain policy */ if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted)) @@ -2284,25 +2285,50 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ DEBUG(3,("_api_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret)); } + if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sam_pass))) { + return nt_status; + } + pw = getpwnam_alloc(account); if (pw) { - if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sam_pass, pw))) { - passwd_free(&pw); - return nt_status; + DOM_SID user_sid; + DOM_SID group_sid; + if (!uid_to_sid(&user_sid, pw->pw_uid)) { + passwd_free(&pw); /* done with this now */ + pdb_free_sam(&sam_pass); + DEBUG(1, ("_api_samr_create_user: uid_to_sid failed, cannot add user.\n")); + return NT_STATUS_ACCESS_DENIED; } + + if (!pdb_set_user_sid(sam_pass, &user_sid, PDB_CHANGED)) { + passwd_free(&pw); /* done with this now */ + pdb_free_sam(&sam_pass); + return NT_STATUS_NO_MEMORY; + } + + if (!gid_to_sid(&group_sid, pw->pw_gid)) { + passwd_free(&pw); /* done with this now */ + pdb_free_sam(&sam_pass); + DEBUG(1, ("_api_samr_create_user: gid_to_sid failed, cannot add user.\n")); + return NT_STATUS_ACCESS_DENIED; + } + + if (!pdb_set_group_sid(sam_pass, &group_sid, PDB_CHANGED)) { + passwd_free(&pw); /* done with this now */ + pdb_free_sam(&sam_pass); + return NT_STATUS_NO_MEMORY; + } + passwd_free(&pw); /* done with this now */ } else { DEBUG(3,("attempting to create non-unix account %s\n", account)); - if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sam_pass))) { - return nt_status; } if (!pdb_set_username(sam_pass, account, PDB_CHANGED)) { pdb_free_sam(&sam_pass); return NT_STATUS_NO_MEMORY; - } } pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED); |