diff options
author | Gerald Carter <jerry@samba.org> | 2005-02-03 15:14:54 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 10:55:32 -0500 |
commit | a84bb6d1ec0316a39c8b730c40c9215d9d7f959a (patch) | |
tree | 4d8dfd70cb5108bfe41adf6c26a0039c24464097 /source3 | |
parent | 4e121102d488c07d138d7065b696d0a145b07f64 (diff) | |
download | samba-a84bb6d1ec0316a39c8b730c40c9215d9d7f959a.tar.gz samba-a84bb6d1ec0316a39c8b730c40c9215d9d7f959a.tar.bz2 samba-a84bb6d1ec0316a39c8b730c40c9215d9d7f959a.zip |
r5203: additional changes for BUG 2291 to restrict who can join a BDC and add domain trusts
(This used to be commit 5ec1faa2ad33772fb48c3863e67d2ce4be726bb2)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/include/privileges.h | 2 | ||||
-rw-r--r-- | source3/include/smb.h | 2 | ||||
-rw-r--r-- | source3/lib/privileges.c | 2 | ||||
-rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 26 | ||||
-rw-r--r-- | source3/utils/net_rpc_join.c | 2 |
5 files changed, 23 insertions, 11 deletions
diff --git a/source3/include/privileges.h b/source3/include/privileges.h index 76cabf3ba9..5266e46e3a 100644 --- a/source3/include/privileges.h +++ b/source3/include/privileges.h @@ -1,3 +1,4 @@ + /* Unix SMB/CIFS implementation. SMB parameters and setup @@ -59,6 +60,7 @@ typedef struct { /* defined in lib/privilegs.c */ +extern const SE_PRIV se_priv_none; extern const SE_PRIV se_machine_account; extern const SE_PRIV se_print_operator; extern const SE_PRIV se_add_users; diff --git a/source3/include/smb.h b/source3/include/smb.h index b8891fe90b..ff64513410 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -226,7 +226,7 @@ typedef struct nttime_info #define ACB_MNS 0x0020 /* 1 = MNS logon user account */ #define ACB_DOMTRUST 0x0040 /* 1 = Interdomain trust account */ #define ACB_WSTRUST 0x0080 /* 1 = Workstation trust account */ -#define ACB_SVRTRUST 0x0100 /* 1 = Server trust account */ +#define ACB_SVRTRUST 0x0100 /* 1 = Server trust account (BDC) */ #define ACB_PWNOEXP 0x0200 /* 1 = User password does not expire */ #define ACB_AUTOLOCK 0x0400 /* 1 = Account auto locked */ diff --git a/source3/lib/privileges.c b/source3/lib/privileges.c index 4feb730fee..3960faecaa 100644 --- a/source3/lib/privileges.c +++ b/source3/lib/privileges.c @@ -29,11 +29,11 @@ static SE_PRIV se_priv_all = SE_ALL_PRIVS; static SE_PRIV se_priv_end = SE_END; -static SE_PRIV se_priv_none = SE_NONE; /* Define variables for all privileges so we can use the SE_PRIV* in the various se_priv_XXX() functions */ +const SE_PRIV se_priv_none = SE_NONE; const SE_PRIV se_machine_account = SE_MACHINE_ACCOUNT; const SE_PRIV se_print_operator = SE_PRINT_OPERATOR; const SE_PRIV se_add_users = SE_ADD_USERS; diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index b58111c1b7..83da810444 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2259,17 +2259,27 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA pw = Get_Pwnam(account); /* determine which user right we need to check based on the acb_info */ - if ( acb_info & (ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) { - se_priv_copy( &se_rights, &se_machine_account ); + + if ( (acb_info & ACB_WSTRUST) == ACB_WSTRUST ) + { pstrcpy(add_script, lp_addmachine_script()); - } - else { - se_priv_copy( &se_rights, &se_add_users ); + se_priv_copy( &se_rights, &se_machine_account ); + can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + } + else if ( (acb_info & ACB_WSTRUST) == ACB_NORMAL ) + { pstrcpy(add_script, lp_adduser_script()); + se_priv_copy( &se_rights, &se_add_users ); + can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + } + else if ( ((acb_info & ACB_SVRTRUST) == ACB_SVRTRUST) || ((acb_info & ACB_DOMTRUST) == ACB_DOMTRUST) ) + { + pstrcpy(add_script, lp_addmachine_script()); + /* only Domain Admins can add a BDC or domain trust */ + se_priv_copy( &se_rights, &se_priv_none ); + can_add_account = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); } - - can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); - + DEBUG(5, ("_samr_create_user: %s can add this account : %s\n", p->pipe_user_name, can_add_account ? "True":"False" )); diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index f1a41c7c99..ed196de6c1 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -212,7 +212,7 @@ int net_rpc_join_newstyle(int argc, const char **argv) if (!NT_STATUS_IS_OK(result) && !NT_STATUS_EQUAL(result, NT_STATUS_USER_EXISTS)) { - d_printf("Create of workstation account failed\n"); + d_printf("Creation of workstation account failed\n"); /* If NT_STATUS_ACCESS_DENIED then we have a valid username/password combo but the user does not have |