From 008b84076094733d7754c524923b1d96ab30b825 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 30 Jul 2007 10:30:34 +0000 Subject: r24080: Set the primary group (matching windows) when creating new users in SAMR. This can't be done in the ldb templates code, as it doesn't happen over direct LDAP. As noted in bug #4829. Andrew Bartlett (This used to be commit 3bfa6dbf7ded06df78310f7bd39d8a8d4edbb4ef) --- source4/librpc/idl/security.idl | 1 + source4/rpc_server/samr/dcesrv_samr.c | 2 ++ source4/torture/rpc/samr.c | 31 +++++++++++++++++++++++++++---- 3 files changed, 30 insertions(+), 4 deletions(-) diff --git a/source4/librpc/idl/security.idl b/source4/librpc/idl/security.idl index 098a887bfe..ea2ad050d5 100644 --- a/source4/librpc/idl/security.idl +++ b/source4/librpc/idl/security.idl @@ -170,6 +170,7 @@ interface security const int DOMAIN_RID_GUEST = 501; const int DOMAIN_RID_ADMINS = 512; const int DOMAIN_RID_USERS = 513; + const int DOMAIN_RID_DOMAIN_MEMBERS = 515; const int DOMAIN_RID_DCS = 516; const int DOMAIN_RID_CERT_ADMINS = 517; const int DOMAIN_RID_SCHEMA_ADMINS = 518; diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c index 648b0d37c6..9bb9cb8161 100644 --- a/source4/rpc_server/samr/dcesrv_samr.c +++ b/source4/rpc_server/samr/dcesrv_samr.c @@ -1269,6 +1269,7 @@ static NTSTATUS dcesrv_samr_CreateUser2(struct dcesrv_call_state *dce_call, TALL cn_name[cn_name_len - 1] = '\0'; container = "CN=Computers"; obj_class = "computer"; + samdb_msg_add_int(d_state->sam_ctx, mem_ctx, msg, "primaryGroupID", DOMAIN_RID_DOMAIN_MEMBERS); } else if (r->in.acct_flags == ACB_SVRTRUST) { if (cn_name[cn_name_len - 1] != '$') { @@ -1277,6 +1278,7 @@ static NTSTATUS dcesrv_samr_CreateUser2(struct dcesrv_call_state *dce_call, TALL cn_name[cn_name_len - 1] = '\0'; container = "OU=Domain Controllers"; obj_class = "computer"; + samdb_msg_add_int(d_state->sam_ctx, mem_ctx, msg, "primaryGroupID", DOMAIN_RID_DCS); } else if (r->in.acct_flags == ACB_DOMTRUST) { container = "CN=Users"; diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c index 179b3506de..2534044417 100644 --- a/source4/torture/rpc/samr.c +++ b/source4/torture/rpc/samr.c @@ -2513,7 +2513,7 @@ static BOOL test_CreateUser2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, if (NT_STATUS_IS_OK(status)) { q.in.user_handle = &user_handle; - q.in.level = 16; + q.in.level = 5; status = dcerpc_samr_QueryUserInfo(p, user_ctx, &q); if (!NT_STATUS_IS_OK(status)) { @@ -2521,11 +2521,34 @@ static BOOL test_CreateUser2(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, q.in.level, nt_errstr(status)); ret = False; } else { - if ((q.out.info->info16.acct_flags & acct_flags) != acct_flags) { - printf("QuerUserInfo level 16 failed, it returned 0x%08x when we expected flags of 0x%08x\n", - q.out.info->info16.acct_flags, + if ((q.out.info->info5.acct_flags & acct_flags) != acct_flags) { + printf("QuerUserInfo level 5 failed, it returned 0x%08x when we expected flags of 0x%08x\n", + q.out.info->info5.acct_flags, acct_flags); ret = False; + } + switch (acct_flags) { + case ACB_SVRTRUST: + if (q.out.info->info5.primary_gid != DOMAIN_RID_DCS) { + printf("QuerUserInfo level 5: DC should have had Primary Group %d, got %d\n", + DOMAIN_RID_DCS, q.out.info->info5.primary_gid); + ret = False; + } + break; + case ACB_WSTRUST: + if (q.out.info->info5.primary_gid != DOMAIN_RID_DOMAIN_MEMBERS) { + printf("QuerUserInfo level 5: Domain Member should have had Primary Group %d, got %d\n", + DOMAIN_RID_DOMAIN_MEMBERS, q.out.info->info5.primary_gid); + ret = False; + } + break; + case ACB_NORMAL: + if (q.out.info->info5.primary_gid != DOMAIN_RID_USERS) { + printf("QuerUserInfo level 5: Users should have had Primary Group %d, got %d\n", + DOMAIN_RID_USERS, q.out.info->info5.primary_gid); + ret = False; + } + break; } } -- cgit