From 227553f904186112e9218c4a7c8b1b46fef5b897 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 29 May 2009 17:12:06 +1000
Subject: Win2k3 don't allow creating of domain trust accounts over SAMR

---
 source4/rpc_server/samr/dcesrv_samr.c | 10 +++++-----
 source4/torture/rpc/samr.c            |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

(limited to 'source4')

diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index fabc88d02d..ec60ac7a45 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -1213,6 +1213,9 @@ static NTSTATUS dcesrv_samr_CreateUser2(struct dcesrv_call_state *dce_call, TALL
 	if (d_state->builtin) {
 		DEBUG(5, ("Cannot create a user in the BUILTIN domain"));
 		return NT_STATUS_ACCESS_DENIED;
+	} else if (r->in.acct_flags == ACB_DOMTRUST) {
+		/* Domain trust accounts must be created by the LSA calls */
+		return NT_STATUS_ACCESS_DENIED;
 	}
 	account_name = r->in.account_name->string;
 
@@ -1258,6 +1261,7 @@ static NTSTATUS dcesrv_samr_CreateUser2(struct dcesrv_call_state *dce_call, TALL
 
 	} else if (r->in.acct_flags == ACB_WSTRUST) {
 		if (cn_name[cn_name_len - 1] != '$') {
+			ldb_transaction_cancel(d_state->sam_ctx);
 			return NT_STATUS_FOOBAR;
 		}
 		cn_name[cn_name_len - 1] = '\0';
@@ -1267,17 +1271,13 @@ static NTSTATUS dcesrv_samr_CreateUser2(struct dcesrv_call_state *dce_call, TALL
 
 	} else if (r->in.acct_flags == ACB_SVRTRUST) {
 		if (cn_name[cn_name_len - 1] != '$') {
+			ldb_transaction_cancel(d_state->sam_ctx);
 			return NT_STATUS_FOOBAR;		
 		}
 		cn_name[cn_name_len - 1] = '\0';
 		container = "OU=Domain Controllers";
 		obj_class = "computer";
 		samdb_msg_add_int(d_state->sam_ctx, mem_ctx, msg, "primaryGroupID", DOMAIN_RID_DCS);
-
-	} else if (r->in.acct_flags == ACB_DOMTRUST) {
-		container = "CN=Users";
-		obj_class = "user";
-
 	} else {
 		ldb_transaction_cancel(d_state->sam_ctx);
 		return NT_STATUS_INVALID_PARAMETER;
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 0072a018c8..a1a60bf5b4 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -4372,7 +4372,7 @@ static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx
 		{ ACB_SVRTRUST, TEST_MACHINENAME, NT_STATUS_OK },
 		{ ACB_SVRTRUST | ACB_DISABLED, TEST_MACHINENAME, NT_STATUS_INVALID_PARAMETER },
 		{ ACB_SVRTRUST | ACB_PWNOEXP, TEST_MACHINENAME, NT_STATUS_INVALID_PARAMETER },
-		{ ACB_DOMTRUST, TEST_DOMAINNAME, NT_STATUS_OK },
+		{ ACB_DOMTRUST, TEST_DOMAINNAME, NT_STATUS_ACCESS_DENIED },
 		{ ACB_DOMTRUST | ACB_DISABLED, TEST_DOMAINNAME, NT_STATUS_INVALID_PARAMETER },
 		{ ACB_DOMTRUST | ACB_PWNOEXP, TEST_DOMAINNAME, NT_STATUS_INVALID_PARAMETER },
 		{ 0, TEST_ACCOUNT_NAME, NT_STATUS_INVALID_PARAMETER },
-- 
cgit