diff options
author | Günther Deschner <gd@samba.org> | 2009-11-09 17:34:47 +0100 |
---|---|---|
committer | Günther Deschner <gd@samba.org> | 2009-11-09 17:36:53 +0100 |
commit | d7ce873391f215f4f3785abcd13b9d120b87e744 (patch) | |
tree | ba8b78eb57ee3d6cf06b7a1bbef08d0d9a8b54b9 /source3/rpc_server | |
parent | e9c6984cb62ce8d7d899202c1275d241a605913c (diff) | |
download | samba-d7ce873391f215f4f3785abcd13b9d120b87e744.tar.gz samba-d7ce873391f215f4f3785abcd13b9d120b87e744.tar.bz2 samba-d7ce873391f215f4f3785abcd13b9d120b87e744.zip |
s3-netlogon: enable RPC-NETLOGON-ADMIN test against s3.
Guenther
Diffstat (limited to 'source3/rpc_server')
-rw-r--r-- | source3/rpc_server/srv_netlog_nt.c | 27 |
1 files changed, 23 insertions, 4 deletions
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index bcf5c000b3..39912ac7e4 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -177,6 +177,7 @@ WERROR _netr_LogonControl2Ex(pipes_struct *p, struct netr_NETLOGON_INFO_3 *info3; struct netr_NETLOGON_INFO_4 *info4; const char *fn; + uint32_t acct_ctrl; switch (p->hdr_req.opnum) { case NDR_NETR_LOGONCONTROL: @@ -192,12 +193,16 @@ WERROR _netr_LogonControl2Ex(pipes_struct *p, return WERR_INVALID_PARAM; } + acct_ctrl = pdb_get_acct_ctrl(p->server_info->sam_account); + switch (r->in.function_code) { case NETLOGON_CONTROL_TC_VERIFY: case NETLOGON_CONTROL_CHANGE_PASSWORD: case NETLOGON_CONTROL_REDISCOVER: - if (!nt_token_check_domain_rid(p->server_info->ptok, DOMAIN_GROUP_RID_ADMINS) && - !nt_token_check_sid(&global_sid_Builtin_Administrators, p->server_info->ptok)) { + if ((geteuid() != sec_initial_uid()) && + !nt_token_check_domain_rid(p->server_info->ptok, DOMAIN_RID_ADMINS) && + !nt_token_check_sid(&global_sid_Builtin_Administrators, p->server_info->ptok) && + !(acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST))) { return WERR_ACCESS_DENIED; } break; @@ -215,9 +220,23 @@ WERROR _netr_LogonControl2Ex(pipes_struct *p, case NETLOGON_CONTROL_SYNCHRONIZE: case NETLOGON_CONTROL_PDC_REPLICATE: case NETLOGON_CONTROL_BACKUP_CHANGE_LOG: - case NETLOGON_CONTROL_TRUNCATE_LOG: case NETLOGON_CONTROL_BREAKPOINT: - return WERR_ACCESS_DENIED; + if (acct_ctrl & ACB_NORMAL) { + return WERR_NOT_SUPPORTED; + } else if (acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST)) { + return WERR_ACCESS_DENIED; + } else { + return WERR_ACCESS_DENIED; + } + case NETLOGON_CONTROL_TRUNCATE_LOG: + if (acct_ctrl & ACB_NORMAL) { + break; + } else if (acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST)) { + return WERR_ACCESS_DENIED; + } else { + return WERR_ACCESS_DENIED; + } + case NETLOGON_CONTROL_TRANSPORT_NOTIFY: case NETLOGON_CONTROL_FORCE_DNS_REG: case NETLOGON_CONTROL_QUERY_DNS_REG: |