diff options
| author | Tim Prouty <tim.prouty@isilon.com> | 2008-07-23 20:50:21 -0700 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2008-07-30 14:06:36 -0700 |
| commit | 097b27dbcc1339db174c50e69767d171794d3603 (patch) | |
| tree | 06ac85645e1eb4554deb65a9bcebc1210cfb8d4a /source3/include | |
| parent | bbb02aa8e925774532376b6a6218a4cbbb708c38 (diff) | |
| download | samba-097b27dbcc1339db174c50e69767d171794d3603.tar.gz samba-097b27dbcc1339db174c50e69767d171794d3603.tar.bz2 samba-097b27dbcc1339db174c50e69767d171794d3603.zip | |
Enabled domain groups to be added to builtin groups at domain join time
Previously this was done at token creation time if the Administrators and Users
builtins hadn't been created yet. A major drawback to this approach is that if
a customer is joined to a domain and decides they want to join a different
domain, the domain groups from this new domain will not be added to the
builtins.
It would be ideal if these groups could be added exclusively at domain join
time, but we can't rely solely on that because there are cases where winbindd
must be running to allocate new gids for the builtins. In the future if there
is a way to allocate gids for builtins without running winbindd, this code
can be removed from create_local_nt_token.
- Made create_builtin_users and create_builtin_administrators non-static so
they can be called from libnet
- Added a new function to libnet_join that will make a best effort to add
domain administrators and domain users to BUILTIN\Administrators and
BUILTIN\Users, respectively. If the builtins don't exist yet, winbindd must be
running to allocate new gids, but if the builtins already exist, the domain
groups will be added even if winbindd is not running. In the case of a
failure the error will be logged, but the join will not be failed.
- Plumbed libnet_join_add_dom_rids_to_builtins into the join post processing.
(This used to be commit e92faf5996cadac480deb60a4f6232eea90b00f6)
Diffstat (limited to 'source3/include')
| -rw-r--r-- | source3/include/proto.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h index 7e70f3ced3..01b7a354e2 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -171,6 +171,8 @@ bool nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid ); NT_USER_TOKEN *get_root_nt_token( void ); NTSTATUS add_aliases(const DOM_SID *domain_sid, struct nt_user_token *token); +NTSTATUS create_builtin_users(const DOM_SID *sid); +NTSTATUS create_builtin_administrators(const DOM_SID *sid); struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, const DOM_SID *user_sid, bool is_guest, |