summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2003-03-21 13:28:06 +0000
committerAndrew Bartlett <abartlet@samba.org>2003-03-21 13:28:06 +0000
commit677838b9997d89dc53c9b5b9a3601c0bc2cbdf80 (patch)
tree16595fd19f08271ae3879dd5a0aeaf95c096cb7c
parent5c913362dcc2a7d64335a43ae03867aa9e6beef4 (diff)
downloadsamba-677838b9997d89dc53c9b5b9a3601c0bc2cbdf80.tar.gz
samba-677838b9997d89dc53c9b5b9a3601c0bc2cbdf80.tar.bz2
samba-677838b9997d89dc53c9b5b9a3601c0bc2cbdf80.zip
Give volker a hand, and let domain joins with existing user accounts work
a bit better. This just sets the minimum possible attributes - if we are 'upgrading' an LDAP based user account, the attributes will be there anyway. This matches NT pretty well to. This also fixes some use of unitialised values in the desired_access checking. (found by valgrind). Andrew Bartlett (This used to be commit 929213ff2a5829ba8435ba1be0de317bca1e0da0)
-rw-r--r--source3/rpc_server/srv_samr_nt.c50
1 files changed, 38 insertions, 12 deletions
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index d766e9c19e..7448dc6401 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -81,6 +81,7 @@ NTSTATUS access_check_samr_object(SEC_DESC *psd, NT_USER_TOKEN *nt_user_token, u
NTSTATUS status = NT_STATUS_ACCESS_DENIED;
if (!se_access_check(psd, nt_user_token, des_access, acc_granted, &status)) {
+ *acc_granted = des_access;
if (geteuid() == sec_initial_uid()) {
DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n",
debug, des_access));
@@ -2199,7 +2200,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_
uint32 acc_granted;
SEC_DESC *psd;
size_t sd_size;
- uint32 des_access;
+ uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
/* Get the domain SID stored in the domain policy */
if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted))
@@ -2284,25 +2285,50 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_
DEBUG(3,("_api_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret));
}
+ if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sam_pass))) {
+ return nt_status;
+ }
+
pw = getpwnam_alloc(account);
if (pw) {
- if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sam_pass, pw))) {
- passwd_free(&pw);
- return nt_status;
+ DOM_SID user_sid;
+ DOM_SID group_sid;
+ if (!uid_to_sid(&user_sid, pw->pw_uid)) {
+ passwd_free(&pw); /* done with this now */
+ pdb_free_sam(&sam_pass);
+ DEBUG(1, ("_api_samr_create_user: uid_to_sid failed, cannot add user.\n"));
+ return NT_STATUS_ACCESS_DENIED;
}
- passwd_free(&pw); /* done with this now */
- } else {
- DEBUG(3,("attempting to create non-unix account %s\n", account));
-
- if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sam_pass))) {
- return nt_status;
+
+ if (!pdb_set_user_sid(sam_pass, &user_sid, PDB_CHANGED)) {
+ passwd_free(&pw); /* done with this now */
+ pdb_free_sam(&sam_pass);
+ return NT_STATUS_NO_MEMORY;
}
-
- if (!pdb_set_username(sam_pass, account, PDB_CHANGED)) {
+
+ if (!gid_to_sid(&group_sid, pw->pw_gid)) {
+ passwd_free(&pw); /* done with this now */
+ pdb_free_sam(&sam_pass);
+ DEBUG(1, ("_api_samr_create_user: gid_to_sid failed, cannot add user.\n"));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ if (!pdb_set_group_sid(sam_pass, &group_sid, PDB_CHANGED)) {
+ passwd_free(&pw); /* done with this now */
pdb_free_sam(&sam_pass);
return NT_STATUS_NO_MEMORY;
}
+
+ passwd_free(&pw); /* done with this now */
+ } else {
+ DEBUG(3,("attempting to create non-unix account %s\n", account));
+
+ }
+
+ if (!pdb_set_username(sam_pass, account, PDB_CHANGED)) {
+ pdb_free_sam(&sam_pass);
+ return NT_STATUS_NO_MEMORY;
}
pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED);