summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2005-02-14 02:41:34 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 10:55:39 -0500
commit467da937c7e1361dca1d4a535db96cdb78e10b13 (patch)
tree8a108383cf06ee11c62f085735d6ca784b75b441
parent9e52e989ab46bf131185c05651dca1799d73f0a3 (diff)
downloadsamba-467da937c7e1361dca1d4a535db96cdb78e10b13.tar.gz
samba-467da937c7e1361dca1d4a535db96cdb78e10b13.tar.bz2
samba-467da937c7e1361dca1d4a535db96cdb78e10b13.zip
r5385: when operating in security = domain, allow domain admins to manage rigths assignments
(This used to be commit fec9cb7daa9b780aab019c0e0d7f2692c168019f)
-rw-r--r--source3/auth/auth_util.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 5c933e90c9..7a186f65cd 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1515,7 +1515,19 @@ BOOL nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid )
{
DOM_SID domain_sid;
- sid_copy( &domain_sid, get_global_sam_sid() );
+ /* if we are a domain member, the get the domain SID, else for
+ a DC or standalone server, use our own SID */
+
+ if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
+ if ( !secrets_fetch_domain_sid( lp_workgroup(), &domain_sid ) ) {
+ DEBUG(1,("nt_token_check_domain_rid: Cannot lookup SID for domain [%s]\n",
+ lp_workgroup()));
+ return False;
+ }
+ }
+ else
+ sid_copy( &domain_sid, get_global_sam_sid() );
+
sid_append_rid( &domain_sid, rid );
return nt_token_check_sid( &domain_sid, token );\