summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2005-12-11 04:39:33 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 11:05:48 -0500
commit143103954cf80c211b7799ebfd4f9ad12ff7c420 (patch)
treef211439a621f15006238a904e8a58618567aada5
parenta48955306705ac7f045e3726d7097900550bebe3 (diff)
downloadsamba-143103954cf80c211b7799ebfd4f9ad12ff7c420.tar.gz
samba-143103954cf80c211b7799ebfd4f9ad12ff7c420.tar.bz2
samba-143103954cf80c211b7799ebfd4f9ad12ff7c420.zip
r12174: Simple patch to work around the current lack of BUILTIN
nested group support. Always add the BUILTIN\Administrators SID to a Domain Admins token. This solves the extra steps of establishing a group map for the local Administrators SID in order to control services. Windows also tends to expect the Administrators group to be usable when setting up security permissions on shares. Volker's work will probably fix this long term, but this gets us past some of the setup hurdles for 3.0.21. (This used to be commit 170b6a68bcbd66bae322c5b1b8c8501ca96acab2)
-rw-r--r--source3/auth/auth_util.c56
1 files changed, 53 insertions, 3 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index ce1ce31d08..497f16adf2 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -471,9 +471,12 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro
NT_USER_TOKEN *ptoken;
int i;
int sid_ndx;
+ DOM_SID domadm;
+ BOOL is_domain_admin = False;
+ BOOL domain_mode = False;
if ((ptoken = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL) {
- DEBUG(0, ("create_nt_token: Out of memory allocating token\n"));
+ DEBUG(0, ("create_nt_user_token: Out of memory allocating token\n"));
nt_status = NT_STATUS_NO_MEMORY;
return nt_status;
}
@@ -483,7 +486,7 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro
ptoken->num_sids = n_groupSIDs + 5;
if ((ptoken->user_sids = SMB_MALLOC_ARRAY( DOM_SID, ptoken->num_sids )) == NULL) {
- DEBUG(0, ("create_nt_token: Out of memory allocating SIDs\n"));
+ DEBUG(0, ("create_nt_user_token: Out of memory allocating SIDs\n"));
nt_status = NT_STATUS_NO_MEMORY;
return nt_status;
}
@@ -517,6 +520,27 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro
sid_ndx = 5; /* next available spot */
+ /* this is where we construct the domain admins SID if we can
+ so that we can add the BUILTIN\Administrators SID to the token */
+
+ ZERO_STRUCT( domadm );
+ if ( IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER ) {
+ domain_mode = True;
+
+ if ( IS_DC )
+ sid_copy( &domadm, get_global_sam_sid() );
+ else {
+ /* if we a re a member server and cannot find
+ out domain SID then reset the domain_mode flag */
+ if ( !secrets_fetch_domain_sid( lp_workgroup(), &domadm ) )
+ domain_mode = False;
+ }
+
+ sid_append_rid( &domadm, DOMAIN_GROUP_RID_ADMINS );
+ }
+
+ /* add the group SIDs to teh token */
+
for (i = 0; i < n_groupSIDs; i++) {
size_t check_sid_idx;
for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) {
@@ -531,6 +555,30 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro
} else {
ptoken->num_sids--;
}
+
+ /* here we check if the user is a domain admin and add the
+ BUILTIN\Administrators SID to the token the group membership
+ check succeeds. */
+
+ if ( domain_mode ) {
+ if ( sid_equal( &domadm, &groupSIDs[i] ) )
+ is_domain_admin = True;
+ }
+
+ }
+
+ /* finally realloc the SID array and add the BUILTIN\Administrators
+ SID if necessary */
+
+ if ( is_domain_admin ) {
+ DOM_SID *sids;
+
+ if ( !(sids = SMB_REALLOC_ARRAY( ptoken->user_sids, DOM_SID, ptoken->num_sids+1 )) )
+ DEBUG(0,("create_nt_user_token: Failed to realloc SID arry of size %d\n", ptoken->num_sids+1));
+ else {
+ ptoken->user_sids = sids;
+ sid_copy( &(ptoken->user_sids)[ptoken->num_sids++], &global_sid_Builtin_Administrators );
+ }
}
/* add privileges assigned to this user */
@@ -602,6 +650,8 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups,
return NULL;
}
+ /* convert the Unix group ids to SIDS */
+
for (i = 0; i < ngroups; i++) {
if (!NT_STATUS_IS_OK(gid_to_sid(&(group_sids)[i], (groups)[i]))) {
DEBUG(1, ("create_nt_token: failed to convert gid %ld to a sid!\n", (long int)groups[i]));
@@ -640,7 +690,7 @@ NT_USER_TOKEN *get_root_nt_token( void )
return token;
if ( !(pw = getpwnam( "root" )) ) {
- DEBUG(0,("create_root_nt_token: getpwnam\"root\") failed!\n"));
+ DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n"));
return NULL;
}