From 677838b9997d89dc53c9b5b9a3601c0bc2cbdf80 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 21 Mar 2003 13:28:06 +0000 Subject: Give volker a hand, and let domain joins with existing user accounts work a bit better. This just sets the minimum possible attributes - if we are 'upgrading' an LDAP based user account, the attributes will be there anyway. This matches NT pretty well to. This also fixes some use of unitialised values in the desired_access checking. (found by valgrind). Andrew Bartlett (This used to be commit 929213ff2a5829ba8435ba1be0de317bca1e0da0) --- source3/rpc_server/srv_samr_nt.c | 50 ++++++++++++++++++++++++++++++---------- 1 file changed, 38 insertions(+), 12 deletions(-) diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index d766e9c19e..7448dc6401 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -81,6 +81,7 @@ NTSTATUS access_check_samr_object(SEC_DESC *psd, NT_USER_TOKEN *nt_user_token, u NTSTATUS status = NT_STATUS_ACCESS_DENIED; if (!se_access_check(psd, nt_user_token, des_access, acc_granted, &status)) { + *acc_granted = des_access; if (geteuid() == sec_initial_uid()) { DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access)); @@ -2199,7 +2200,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ uint32 acc_granted; SEC_DESC *psd; size_t sd_size; - uint32 des_access; + uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS; /* Get the domain SID stored in the domain policy */ if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted)) @@ -2284,25 +2285,50 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ DEBUG(3,("_api_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret)); } + if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sam_pass))) { + return nt_status; + } + pw = getpwnam_alloc(account); if (pw) { - if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sam_pass, pw))) { - passwd_free(&pw); - return nt_status; + DOM_SID user_sid; + DOM_SID group_sid; + if (!uid_to_sid(&user_sid, pw->pw_uid)) { + passwd_free(&pw); /* done with this now */ + pdb_free_sam(&sam_pass); + DEBUG(1, ("_api_samr_create_user: uid_to_sid failed, cannot add user.\n")); + return NT_STATUS_ACCESS_DENIED; } - passwd_free(&pw); /* done with this now */ - } else { - DEBUG(3,("attempting to create non-unix account %s\n", account)); - - if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sam_pass))) { - return nt_status; + + if (!pdb_set_user_sid(sam_pass, &user_sid, PDB_CHANGED)) { + passwd_free(&pw); /* done with this now */ + pdb_free_sam(&sam_pass); + return NT_STATUS_NO_MEMORY; } - - if (!pdb_set_username(sam_pass, account, PDB_CHANGED)) { + + if (!gid_to_sid(&group_sid, pw->pw_gid)) { + passwd_free(&pw); /* done with this now */ + pdb_free_sam(&sam_pass); + DEBUG(1, ("_api_samr_create_user: gid_to_sid failed, cannot add user.\n")); + return NT_STATUS_ACCESS_DENIED; + } + + if (!pdb_set_group_sid(sam_pass, &group_sid, PDB_CHANGED)) { + passwd_free(&pw); /* done with this now */ pdb_free_sam(&sam_pass); return NT_STATUS_NO_MEMORY; } + + passwd_free(&pw); /* done with this now */ + } else { + DEBUG(3,("attempting to create non-unix account %s\n", account)); + + } + + if (!pdb_set_username(sam_pass, account, PDB_CHANGED)) { + pdb_free_sam(&sam_pass); + return NT_STATUS_NO_MEMORY; } pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED); -- cgit