From 467da937c7e1361dca1d4a535db96cdb78e10b13 Mon Sep 17 00:00:00 2001
From: Gerald Carter <jerry@samba.org>
Date: Mon, 14 Feb 2005 02:41:34 +0000
Subject: r5385: when operating in security = domain, allow domain admins to
 manage rigths assignments (This used to be commit
 fec9cb7daa9b780aab019c0e0d7f2692c168019f)

---
 source3/auth/auth_util.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'source3/auth/auth_util.c')

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 5c933e90c9..7a186f65cd 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1515,7 +1515,19 @@ BOOL nt_token_check_domain_rid( NT_USER_TOKEN *token, uint32 rid )
 {
 	DOM_SID domain_sid;
 
-	sid_copy( &domain_sid, get_global_sam_sid() );
+	/* if we are a domain member, the get the domain SID, else for 
+	   a DC or standalone server, use our own SID */
+
+	if ( lp_server_role() == ROLE_DOMAIN_MEMBER ) {
+		if ( !secrets_fetch_domain_sid( lp_workgroup(), &domain_sid ) ) {
+			DEBUG(1,("nt_token_check_domain_rid: Cannot lookup SID for domain [%s]\n",
+				lp_workgroup()));
+			return False;
+		}
+	} 
+	else
+		sid_copy( &domain_sid, get_global_sam_sid() );
+
 	sid_append_rid( &domain_sid, rid );
 	
 	return nt_token_check_sid( &domain_sid, token );\
-- 
cgit