From eeae85278106abff538ed672116a81bec29906e3 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 21 Mar 2003 13:35:15 +0000 Subject: (merge from HEAD) Give volker a hand, and let domain joins with existing user accounts work a bit better. This just sets the minimum possible attributes - if we are 'upgrading' an LDAP based user account, the attributes will be there anyway. This matches NT pretty well to. This also fixes some use of unitialised values in the desired_access checking. (found by valgrind). Andrew Bartlett (This used to be commit 536e24ee5b83eaa77be81dd50e3e1a5010b5abf4) --- source3/rpc_server/srv_samr_nt.c | 40 +++++++++++++++++++++++++++++++++------- 1 file changed, 33 insertions(+), 7 deletions(-) (limited to 'source3/rpc_server/srv_samr_nt.c') diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index d766e9c19e..f174114473 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -81,6 +81,7 @@ NTSTATUS access_check_samr_object(SEC_DESC *psd, NT_USER_TOKEN *nt_user_token, u NTSTATUS status = NT_STATUS_ACCESS_DENIED; if (!se_access_check(psd, nt_user_token, des_access, acc_granted, &status)) { + *acc_granted = des_access; if (geteuid() == sec_initial_uid()) { DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n", debug, des_access)); @@ -2199,7 +2200,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ uint32 acc_granted; SEC_DESC *psd; size_t sd_size; - uint32 des_access; + uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS; /* Get the domain SID stored in the domain policy */ if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted)) @@ -2284,25 +2285,50 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_ DEBUG(3,("_api_samr_create_user: Running the command `%s' gave %d\n", add_script, add_ret)); } + if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sam_pass))) { + return nt_status; + } + pw = getpwnam_alloc(account); if (pw) { - if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sam_pass, pw))) { - passwd_free(&pw); - return nt_status; + DOM_SID user_sid; + DOM_SID group_sid; + if (!uid_to_sid(&user_sid, pw->pw_uid)) { + passwd_free(&pw); /* done with this now */ + pdb_free_sam(&sam_pass); + DEBUG(1, ("_api_samr_create_user: uid_to_sid failed, cannot add user.\n")); + return NT_STATUS_ACCESS_DENIED; } + + if (!pdb_set_user_sid(sam_pass, &user_sid, PDB_CHANGED)) { + passwd_free(&pw); /* done with this now */ + pdb_free_sam(&sam_pass); + return NT_STATUS_NO_MEMORY; + } + + if (!gid_to_sid(&group_sid, pw->pw_gid)) { + passwd_free(&pw); /* done with this now */ + pdb_free_sam(&sam_pass); + DEBUG(1, ("_api_samr_create_user: gid_to_sid failed, cannot add user.\n")); + return NT_STATUS_ACCESS_DENIED; + } + + if (!pdb_set_group_sid(sam_pass, &group_sid, PDB_CHANGED)) { + passwd_free(&pw); /* done with this now */ + pdb_free_sam(&sam_pass); + return NT_STATUS_NO_MEMORY; + } + passwd_free(&pw); /* done with this now */ } else { DEBUG(3,("attempting to create non-unix account %s\n", account)); - if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sam_pass))) { - return nt_status; } if (!pdb_set_username(sam_pass, account, PDB_CHANGED)) { pdb_free_sam(&sam_pass); return NT_STATUS_NO_MEMORY; - } } pdb_set_acct_ctrl(sam_pass, acb_info, PDB_CHANGED); -- cgit