summaryrefslogtreecommitdiff
path: root/source3/rpc_server
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2009-11-09 17:34:47 +0100
committerGünther Deschner <gd@samba.org>2009-11-09 17:36:53 +0100
commitd7ce873391f215f4f3785abcd13b9d120b87e744 (patch)
treeba8b78eb57ee3d6cf06b7a1bbef08d0d9a8b54b9 /source3/rpc_server
parente9c6984cb62ce8d7d899202c1275d241a605913c (diff)
downloadsamba-d7ce873391f215f4f3785abcd13b9d120b87e744.tar.gz
samba-d7ce873391f215f4f3785abcd13b9d120b87e744.tar.bz2
samba-d7ce873391f215f4f3785abcd13b9d120b87e744.zip
s3-netlogon: enable RPC-NETLOGON-ADMIN test against s3.
Guenther
Diffstat (limited to 'source3/rpc_server')
-rw-r--r--source3/rpc_server/srv_netlog_nt.c27
1 files changed, 23 insertions, 4 deletions
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index bcf5c000b3..39912ac7e4 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -177,6 +177,7 @@ WERROR _netr_LogonControl2Ex(pipes_struct *p,
struct netr_NETLOGON_INFO_3 *info3;
struct netr_NETLOGON_INFO_4 *info4;
const char *fn;
+ uint32_t acct_ctrl;
switch (p->hdr_req.opnum) {
case NDR_NETR_LOGONCONTROL:
@@ -192,12 +193,16 @@ WERROR _netr_LogonControl2Ex(pipes_struct *p,
return WERR_INVALID_PARAM;
}
+ acct_ctrl = pdb_get_acct_ctrl(p->server_info->sam_account);
+
switch (r->in.function_code) {
case NETLOGON_CONTROL_TC_VERIFY:
case NETLOGON_CONTROL_CHANGE_PASSWORD:
case NETLOGON_CONTROL_REDISCOVER:
- if (!nt_token_check_domain_rid(p->server_info->ptok, DOMAIN_GROUP_RID_ADMINS) &&
- !nt_token_check_sid(&global_sid_Builtin_Administrators, p->server_info->ptok)) {
+ if ((geteuid() != sec_initial_uid()) &&
+ !nt_token_check_domain_rid(p->server_info->ptok, DOMAIN_RID_ADMINS) &&
+ !nt_token_check_sid(&global_sid_Builtin_Administrators, p->server_info->ptok) &&
+ !(acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST))) {
return WERR_ACCESS_DENIED;
}
break;
@@ -215,9 +220,23 @@ WERROR _netr_LogonControl2Ex(pipes_struct *p,
case NETLOGON_CONTROL_SYNCHRONIZE:
case NETLOGON_CONTROL_PDC_REPLICATE:
case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
- case NETLOGON_CONTROL_TRUNCATE_LOG:
case NETLOGON_CONTROL_BREAKPOINT:
- return WERR_ACCESS_DENIED;
+ if (acct_ctrl & ACB_NORMAL) {
+ return WERR_NOT_SUPPORTED;
+ } else if (acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST)) {
+ return WERR_ACCESS_DENIED;
+ } else {
+ return WERR_ACCESS_DENIED;
+ }
+ case NETLOGON_CONTROL_TRUNCATE_LOG:
+ if (acct_ctrl & ACB_NORMAL) {
+ break;
+ } else if (acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST)) {
+ return WERR_ACCESS_DENIED;
+ } else {
+ return WERR_ACCESS_DENIED;
+ }
+
case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
case NETLOGON_CONTROL_FORCE_DNS_REG:
case NETLOGON_CONTROL_QUERY_DNS_REG: