summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2005-02-03 16:23:49 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 10:55:33 -0500
commit8f87dcdcdab52efb0ef907ede71c0920a25b0d7b (patch)
tree71c1ab961364d0e57cf88f8754004c1d771c0e40
parenta84bb6d1ec0316a39c8b730c40c9215d9d7f959a (diff)
downloadsamba-8f87dcdcdab52efb0ef907ede71c0920a25b0d7b.tar.gz
samba-8f87dcdcdab52efb0ef907ede71c0920a25b0d7b.tar.bz2
samba-8f87dcdcdab52efb0ef907ede71c0920a25b0d7b.zip
r5205: more fixups for BUG 2291
(This used to be commit 62e7cc7c3b2fe5187c99e0a1491843579ab997e7)
-rw-r--r--source3/rpc_server/srv_samr_nt.c57
1 files changed, 30 insertions, 27 deletions
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 83da810444..1d4569e39f 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -2260,24 +2260,26 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA
/* determine which user right we need to check based on the acb_info */
- if ( (acb_info & ACB_WSTRUST) == ACB_WSTRUST )
+ if ( acb_info & ACB_WSTRUST )
{
pstrcpy(add_script, lp_addmachine_script());
se_priv_copy( &se_rights, &se_machine_account );
can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
}
- else if ( (acb_info & ACB_WSTRUST) == ACB_NORMAL )
+ else if ( acb_info & ACB_NORMAL )
{
pstrcpy(add_script, lp_adduser_script());
se_priv_copy( &se_rights, &se_add_users );
can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
}
- else if ( ((acb_info & ACB_SVRTRUST) == ACB_SVRTRUST) || ((acb_info & ACB_DOMTRUST) == ACB_DOMTRUST) )
+ else if ( acb_info & (ACB_SVRTRUST|ACB_DOMTRUST) )
{
pstrcpy(add_script, lp_addmachine_script());
- /* only Domain Admins can add a BDC or domain trust */
- se_priv_copy( &se_rights, &se_priv_none );
- can_add_account = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS );
+ if ( lp_enable_privileges() ) {
+ /* only Domain Admins can add a BDC or domain trust */
+ se_priv_copy( &se_rights, &se_priv_none );
+ can_add_account = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS );
+ }
}
DEBUG(5, ("_samr_create_user: %s can add this account : %s\n",
@@ -2996,7 +2998,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE
uint32 acc_required;
BOOL ret;
BOOL has_enough_rights;
- SE_PRIV se_rights;
+ uint32 acb_info;
DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__));
@@ -3033,16 +3035,18 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE
}
/* deal with machine password changes differently from userinfo changes */
-
- if ( pdb_get_acct_ctrl(pwd) & ACB_WSTRUST )
- se_priv_copy( &se_rights, &se_machine_account );
- else
- se_priv_copy( &se_rights, &se_add_users );
-
/* check to see if we have the sufficient rights */
- has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
-
+ acb_info = pdb_get_acct_ctrl(pwd);
+ if ( acb_info & ACB_WSTRUST )
+ has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account);
+ else if ( acb_info & ACB_NORMAL )
+ has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
+ else if ( acb_info & (ACB_SVRTRUST|ACB_DOMTRUST) ) {
+ if ( lp_enable_privileges() )
+ has_enough_rights = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS );
+ }
+
DEBUG(5, ("_samr_set_userinfo: %s does%s possess sufficient rights\n",
p->pipe_user_name, has_enough_rights ? "" : " not"));
@@ -3135,7 +3139,7 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_
uint32 acc_required;
BOOL ret;
BOOL has_enough_rights;
- SE_PRIV se_rights;
+ uint32 acb_info;
DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__));
@@ -3173,17 +3177,16 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_
return NT_STATUS_NO_SUCH_USER;
}
- /* deal with machine password changes differently from userinfo changes */
-
- if ( pdb_get_acct_ctrl(pwd) & ACB_WSTRUST )
- se_priv_copy( &se_rights, &se_machine_account );
- else
- se_priv_copy( &se_rights, &se_add_users );
-
- /* check to see if we have the sufficient rights */
-
- has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
-
+ acb_info = pdb_get_acct_ctrl(pwd);
+ if ( acb_info & ACB_WSTRUST )
+ has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account);
+ else if ( acb_info & ACB_NORMAL )
+ has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
+ else if ( acb_info & (ACB_SVRTRUST|ACB_DOMTRUST) ) {
+ if ( lp_enable_privileges() )
+ has_enough_rights = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS );
+ }
+
DEBUG(5, ("_samr_set_userinfo: %s does%s possess sufficient rights\n",
p->pipe_user_name, has_enough_rights ? "" : " not"));