The Samba-Bugzilla – Attachment 942 Details for
Bug 2291
bug in 3.0.11rc1 was not in 3.0.11pre2
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
add additional checks for creating server and domain trust accounts
look (text/plain), 3.82 KB, created by
Gerald (Jerry) Carter (dead mail address)
on 2005-02-03 08:34:01 UTC
(
hide
)
Description:
add additional checks for creating server and domain trust accounts
Filename:
MIME Type:
Creator:
Gerald (Jerry) Carter (dead mail address)
Created:
2005-02-03 08:34:01 UTC
Size:
3.82 KB
patch
obsolete
>Index: source/include/privileges.h >=================================================================== >--- source/include/privileges.h (revision 5061) >+++ source/include/privileges.h (revision 5204) >@@ -1,3 +1,4 @@ >+ > /* > Unix SMB/CIFS implementation. > SMB parameters and setup >@@ -59,6 +60,7 @@ > > /* defined in lib/privilegs.c */ > >+extern const SE_PRIV se_priv_none; > extern const SE_PRIV se_machine_account; > extern const SE_PRIV se_print_operator; > extern const SE_PRIV se_add_users; >Index: source/include/smb.h >=================================================================== >--- source/include/smb.h (revision 5061) >+++ source/include/smb.h (revision 5204) >@@ -226,7 +226,7 @@ > #define ACB_MNS 0x0020 /* 1 = MNS logon user account */ > #define ACB_DOMTRUST 0x0040 /* 1 = Interdomain trust account */ > #define ACB_WSTRUST 0x0080 /* 1 = Workstation trust account */ >-#define ACB_SVRTRUST 0x0100 /* 1 = Server trust account */ >+#define ACB_SVRTRUST 0x0100 /* 1 = Server trust account (BDC) */ > #define ACB_PWNOEXP 0x0200 /* 1 = User password does not expire */ > #define ACB_AUTOLOCK 0x0400 /* 1 = Account auto locked */ > >Index: source/utils/net_rpc_join.c >=================================================================== >--- source/utils/net_rpc_join.c (revision 5061) >+++ source/utils/net_rpc_join.c (revision 5204) >@@ -212,7 +212,7 @@ > > if (!NT_STATUS_IS_OK(result) && > !NT_STATUS_EQUAL(result, NT_STATUS_USER_EXISTS)) { >- d_printf("Create of workstation account failed\n"); >+ d_printf("Creation of workstation account failed\n"); > > /* If NT_STATUS_ACCESS_DENIED then we have a valid > username/password combo but the user does not have >Index: source/rpc_server/srv_samr_nt.c >=================================================================== >--- source/rpc_server/srv_samr_nt.c (revision 5061) >+++ source/rpc_server/srv_samr_nt.c (revision 5204) >@@ -2333,17 +2333,27 @@ > pw = Get_Pwnam(account); > > /* determine which user right we need to check based on the acb_info */ >- if ( acb_info == ACB_WSTRUST ) { >+ >+ if ( (acb_info & ACB_WSTRUST) == ACB_WSTRUST ) >+ { >+ pstrcpy(add_script, lp_addmachine_script()); > se_priv_copy( &se_rights, &se_machine_account ); >+ can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); >+ } >+ else if ( (acb_info & ACB_WSTRUST) == ACB_NORMAL ) >+ { >+ pstrcpy(add_script, lp_adduser_script()); >+ se_priv_copy( &se_rights, &se_add_users ); >+ can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); >+ } >+ else if ( ((acb_info & ACB_SVRTRUST) == ACB_SVRTRUST) || ((acb_info & ACB_DOMTRUST) == ACB_DOMTRUST) ) >+ { > pstrcpy(add_script, lp_addmachine_script()); >+ /* only Domain Admins can add a BDC or domain trust */ >+ se_priv_copy( &se_rights, &se_priv_none ); >+ can_add_account = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); > } >- else { >- se_priv_copy( &se_rights, &se_add_users ); >- pstrcpy(add_script, lp_adduser_script()); >- } >- >- can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); >- >+ > DEBUG(5, ("_samr_create_user: %s can add this account : %s\n", > p->pipe_user_name, can_add_account ? "True":"False" )); > >Index: source/lib/privileges.c >=================================================================== >--- source/lib/privileges.c (revision 5061) >+++ source/lib/privileges.c (revision 5204) >@@ -29,11 +29,11 @@ > > static SE_PRIV se_priv_all = SE_ALL_PRIVS; > static SE_PRIV se_priv_end = SE_END; >-static SE_PRIV se_priv_none = SE_NONE; > > /* Define variables for all privileges so we can use the > SE_PRIV* in the various se_priv_XXX() functions */ > >+const SE_PRIV se_priv_none = SE_NONE; > const SE_PRIV se_machine_account = SE_MACHINE_ACCOUNT; > const SE_PRIV se_print_operator = SE_PRINT_OPERATOR; > const SE_PRIV se_add_users = SE_ADD_USERS;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=942">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 2291
:
929
|
930
|
931
|
932
|
933
|
934
|
935
|
936
|
938
|
942
|
943