summaryrefslogtreecommitdiff
path: root/source3/rpc_server
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2005-02-03 15:14:54 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 10:55:32 -0500
commita84bb6d1ec0316a39c8b730c40c9215d9d7f959a (patch)
tree4d8dfd70cb5108bfe41adf6c26a0039c24464097 /source3/rpc_server
parent4e121102d488c07d138d7065b696d0a145b07f64 (diff)
downloadsamba-a84bb6d1ec0316a39c8b730c40c9215d9d7f959a.tar.gz
samba-a84bb6d1ec0316a39c8b730c40c9215d9d7f959a.tar.bz2
samba-a84bb6d1ec0316a39c8b730c40c9215d9d7f959a.zip
r5203: additional changes for BUG 2291 to restrict who can join a BDC and add domain trusts
(This used to be commit 5ec1faa2ad33772fb48c3863e67d2ce4be726bb2)
Diffstat (limited to 'source3/rpc_server')
-rw-r--r--source3/rpc_server/srv_samr_nt.c26
1 files changed, 18 insertions, 8 deletions
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index b58111c1b7..83da810444 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -2259,17 +2259,27 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA
pw = Get_Pwnam(account);
/* determine which user right we need to check based on the acb_info */
- if ( acb_info & (ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) {
- se_priv_copy( &se_rights, &se_machine_account );
+
+ if ( (acb_info & ACB_WSTRUST) == ACB_WSTRUST )
+ {
pstrcpy(add_script, lp_addmachine_script());
- }
- else {
- se_priv_copy( &se_rights, &se_add_users );
+ se_priv_copy( &se_rights, &se_machine_account );
+ can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
+ }
+ else if ( (acb_info & ACB_WSTRUST) == ACB_NORMAL )
+ {
pstrcpy(add_script, lp_adduser_script());
+ se_priv_copy( &se_rights, &se_add_users );
+ can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
+ }
+ else if ( ((acb_info & ACB_SVRTRUST) == ACB_SVRTRUST) || ((acb_info & ACB_DOMTRUST) == ACB_DOMTRUST) )
+ {
+ pstrcpy(add_script, lp_addmachine_script());
+ /* only Domain Admins can add a BDC or domain trust */
+ se_priv_copy( &se_rights, &se_priv_none );
+ can_add_account = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS );
}
-
- can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
-
+
DEBUG(5, ("_samr_create_user: %s can add this account : %s\n",
p->pipe_user_name, can_add_account ? "True":"False" ));