summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2003-03-21 13:35:15 +0000
committerAndrew Bartlett <abartlet@samba.org>2003-03-21 13:35:15 +0000
commiteeae85278106abff538ed672116a81bec29906e3 (patch)
treef61f14fa74ec239e7bf02e8017713f06d697bf2d
parent70788c30fb6503a94d83d36eec3dd51a8700c4be (diff)
downloadsamba-eeae85278106abff538ed672116a81bec29906e3.tar.gz
samba-eeae85278106abff538ed672116a81bec29906e3.tar.bz2
samba-eeae85278106abff538ed672116a81bec29906e3.zip
(merge from HEAD)
Give volker a hand, and let domain joins with existing user accounts work a bit better. This just sets the minimum possible attributes - if we are 'upgrading' an LDAP based user account, the attributes will be there anyway. This matches NT pretty well to. This also fixes some use of unitialised values in the desired_access checking. (found by valgrind). Andrew Bartlett (This used to be commit 536e24ee5b83eaa77be81dd50e3e1a5010b5abf4)
-rw-r--r--source3/rpc_server/srv_samr_nt.c40
1 files changed, 33 insertions, 7 deletions
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index d766e9c19e..f174114473 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -81,6 +81,7 @@ NTSTATUS access_check_samr_object(SEC_DESC *psd, NT_USER_TOKEN *nt_user_token, u
NTSTATUS status = NT_STATUS_ACCESS_DENIED;
if (!se_access_check(psd, nt_user_token, des_access, acc_granted, &status)) {
+ *acc_granted = des_access;
if (geteuid() == sec_initial_uid()) {
DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n",
debug, des_access));
@@ -2199,7 +2200,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_
uint32 acc_granted;
SEC_DESC *psd;
size_t sd_size;
- uint32 des_access;
+ uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
/* Get the domain SID stored in the domain policy */
if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted))
@@ -2284,25 +2285,50 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_
DEBUG(3,("_api_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret));
}
+ if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sam_pass))) {
+ return nt_status;
+ }
+
pw = getpwnam_alloc(account);
if (pw) {
- if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sam_pass, pw))) {
- passwd_free(&pw);
- return nt_status;
+ DOM_SID user_sid;
+ DOM_SID group_sid;
+ if (!uid_to_sid(&user_sid, pw->pw_uid)) {
+ passwd_free(&pw); /* done with this now */
+ pdb_free_sam(&sam_pass);
+ DEBUG(1, ("_api_samr_create_user: uid_to_sid failed, cannot add user.\n"));
+ return NT_STATUS_ACCESS_DENIED;
}
+
+ if (!pdb_set_user_sid(sam_pass, &user_sid, PDB_CHANGED)) {
+ passwd_free(&pw); /* done with this now */
+ pdb_free_sam(&sam_pass);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!gid_to_sid(&group_sid, pw->pw_gid)) {
+ passwd_free(&pw); /* done with this now */
+ pdb_free_sam(&sam_pass);
+ DEBUG(1, ("_api_samr_create_user: gid_to_sid failed, cannot add user.\n"));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ if (!pdb_set_group_sid(sam_pass, &group_sid, PDB_CHANGED)) {
+ passwd_free(&pw); /* done with this now */
+ pdb_free_sam(&sam_pass);
+ return NT_STATUS_NO_MEMORY;
+ }
+
passwd_free(&pw); /* done with this now */
} else {
DEBUG(3,("attempting to create non-unix account %s\n", account));
- if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sam_pass))) {
- return nt_status;
}
if (!pdb_set_username(sam_pass, account, PDB_CHANGED)) {
pdb_free_sam(&sam_pass);
return NT_STATUS_NO_MEMORY;
- }
}
pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED);