Give volker a hand, and let domain joins with existing user accounts work

a bit better.

This just sets the minimum possible attributes - if we are 'upgrading' an
LDAP based user account, the attributes will be there anyway.  This matches
NT pretty well to.

This also fixes some use of unitialised values in the desired_access checking.
(found by valgrind).

Andrew Bartlett
(This used to be commit 929213ff2a5829ba8435ba1be0de317bca1e0da0)

1 files changed, 38 insertions, 12 deletions

diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index d766e9c19e..7448dc6401 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -81,6 +81,7 @@ NTSTATUS access_check_samr_object(SEC_DESC *psd, NT_USER_TOKEN *nt_user_token, u
 	NTSTATUS status = NT_STATUS_ACCESS_DENIED;
 
 	if (!se_access_check(psd, nt_user_token, des_access, acc_granted, &status)) {
+		*acc_granted = des_access;
 		if (geteuid() == sec_initial_uid()) {
 			DEBUG(4,("%s: ACCESS should be DENIED  (requested: %#010x)\n",
 				debug, des_access));
@@ -2199,7 +2200,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_
 	uint32 acc_granted;
 	SEC_DESC *psd;
 	size_t    sd_size;
-	uint32    des_access;
+	uint32    des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
 
 	/* Get the domain SID stored in the domain policy */
 	if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted))
@@ -2284,25 +2285,50 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_
  		DEBUG(3,("_api_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret));
   	}
 	
+	if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sam_pass))) {
+		return nt_status;
+	}
+		
 	pw = getpwnam_alloc(account);
 
 	if (pw) {
-		if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sam_pass, pw))) {
-			passwd_free(&pw);
-			return nt_status;
+		DOM_SID user_sid;
+		DOM_SID group_sid;
+		if (!uid_to_sid(&user_sid, pw->pw_uid)) {
+			passwd_free(&pw); /* done with this now */
+			pdb_free_sam(&sam_pass);
+			DEBUG(1, ("_api_samr_create_user: uid_to_sid failed, cannot add user.\n"));
+			return NT_STATUS_ACCESS_DENIED;
 		}
-		passwd_free(&pw); /* done with this now */
-	} else {
-		DEBUG(3,("attempting to create non-unix account %s\n", account));
-		
-		if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sam_pass))) {
-			return nt_status;
+
+		if (!pdb_set_user_sid(sam_pass, &user_sid, PDB_CHANGED)) {
+			passwd_free(&pw); /* done with this now */
+			pdb_free_sam(&sam_pass);
+			return NT_STATUS_NO_MEMORY;
 		}
-		
-		if (!pdb_set_username(sam_pass, account, PDB_CHANGED)) {
+
+		if (!gid_to_sid(&group_sid, pw->pw_gid)) {
+			passwd_free(&pw); /* done with this now */
+			pdb_free_sam(&sam_pass);
+			DEBUG(1, ("_api_samr_create_user: gid_to_sid failed, cannot add user.\n"));
+			return NT_STATUS_ACCESS_DENIED;
+		}
+
+		if (!pdb_set_group_sid(sam_pass, &group_sid, PDB_CHANGED)) {
+			passwd_free(&pw); /* done with this now */
 			pdb_free_sam(&sam_pass);
 			return NT_STATUS_NO_MEMORY;
 		}
+
+		passwd_free(&pw); /* done with this now */
+	} else {
+		DEBUG(3,("attempting to create non-unix account %s\n", account));
+		
+	}
+	
+	if (!pdb_set_username(sam_pass, account, PDB_CHANGED)) {
+		pdb_free_sam(&sam_pass);
+		return NT_STATUS_NO_MEMORY;
 	}
 
  	pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED);