From 13b1f7a2b33b299208abfbb50fbf1e2b982ca326 Mon Sep 17 00:00:00 2001
From: Matthias Dieter Wallnöfer <mdw@samba.org>
Date: Thu, 10 Jun 2010 11:50:12 +0200
Subject: s4:dcesrv_samr_Add/DelGroupMember - remove the account type check

MS-SAMR 3.1.5.8 speaks from accounts which are not necessarely only users.
---
 source4/rpc_server/samr/dcesrv_samr.c | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index 45d96991e9..3ad3940967 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -1948,12 +1948,11 @@ static NTSTATUS dcesrv_samr_AddGroupMember(struct dcesrv_call_state *dce_call, T
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	/* In native mode, AD can also nest domain groups. Not sure yet
-	 * whether this is also available via RPC. */
+	/* according to MS-SAMR 3.1.5.8.2 all type of accounts are accepted */
 	ret = ldb_search(d_state->sam_ctx, mem_ctx, &res,
-				 d_state->domain_dn, LDB_SCOPE_SUBTREE, attrs,
-				 "(&(objectSid=%s)(objectclass=user))",
-				 ldap_encode_ndr_dom_sid(mem_ctx, membersid));
+			 d_state->domain_dn, LDB_SCOPE_SUBTREE, attrs,
+			 "(objectSid=%s)",
+			 ldap_encode_ndr_dom_sid(mem_ctx, membersid));
 
 	if (ret != LDB_SUCCESS) {
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
@@ -2050,15 +2049,15 @@ static NTSTATUS dcesrv_samr_DeleteGroupMember(struct dcesrv_call_state *dce_call
 	d_state = a_state->domain_state;
 
 	membersid = dom_sid_add_rid(mem_ctx, d_state->domain_sid, r->in.rid);
-	if (membersid == NULL)
+	if (membersid == NULL) {
 		return NT_STATUS_NO_MEMORY;
+	}
 
-	/* In native mode, AD can also nest domain groups. Not sure yet
-	 * whether this is also available via RPC. */
+	/* according to MS-SAMR 3.1.5.8.2 all type of accounts are accepted */
 	ret = ldb_search(d_state->sam_ctx, mem_ctx, &res,
-				 d_state->domain_dn, LDB_SCOPE_SUBTREE, attrs,
-				 "(&(objectSid=%s)(objectclass=user))",
-				 ldap_encode_ndr_dom_sid(mem_ctx, membersid));
+			 d_state->domain_dn, LDB_SCOPE_SUBTREE, attrs,
+			 "(objectSid=%s)",
+			 ldap_encode_ndr_dom_sid(mem_ctx, membersid));
 
 	if (ret != LDB_SUCCESS) {
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
-- 
cgit