SeMachineAccountPrivilege works same as SeAddUsersPrivilege. In Samba domain environment, a user granted SeMachineAccountPrivilege can modify all users' property, password, account policy, same as a user granted SeAddUsersPrivilege. Is this by design? P.S. A user granted SeAddUsersPrivilege can not add a machine to the domain. A user granted SeMachineAccountPrivilege can add a machine to the domain. So these 2 privileges work well around joining a domain.
I guess it's by design. Creating a machine account is creating another user. Jeremy, is that assumption right?
Actually no, I don't think so. SeMachineAccountPrivilage shouldn't allow you to edit normal users. I'll look at the code in this one. Thanks, Jeremy.
Created attachment 4148 [details] Patch for master/3.4 to test.
Patch passes make test, so that's something.TAKAHASHI-san, can you test this as well please ? Jeremy.
Created attachment 4150 [details] Pater patch - fixes more....
I meant "later" not "pater" :-). Jeremy.
Patch id=4150 failed for me: ----- samba33a:/home/local/Work/samba-3.3.4/source# patch -p2 < ../patch3.txt patching file lib/privileges_basic.c patching file rpc_server/srv_samr_nt.c Hunk #1 succeeded at 174 (offset -11 lines). Hunk #2 succeeded at 2139 (offset -68 lines). Hunk #3 FAILED at 2169. Hunk #4 FAILED at 4661. Hunk #5 FAILED at 4715. Hunk #6 succeeded at 4357 with fuzz 1 (offset -575 lines). 3 out of 6 hunks FAILED -- saving rejects to file rpc_server/srv_samr_nt.c.rej ----- This patch must be applied for 3.4 tree? I will try to manually apply this patch for 3.3.4 later.
Sorry, this code is being developed in master/3.4 not for 3.3. This is a large enough change I want to roll it out in 3.4 only. Guenther and I are still working on this. Jeremy
Created attachment 4151 [details] Latest patch for master/3.4 Ok, here is the best fix I can come up with until gd finishes his testing. The only part I'm unsure about is the part of the fix marked : + * JRA - TESTME. We just created this user so we + * had rights to create them. Do we need to check + * any further access on this object ? Can't we + * just assume we have all the rights we need ? which is to do with the access rights on a user we just created. Please test ! Thanks, Jeremy.
So this one won't be fixed in 3.3?
We could of course but the patch would not be tiny :-)
No, this is way too much change for 3.3 or 3.2. Jeremy.
Okay, so it makes sense to update the component.
This has been resolved and successfully tested for 3.4 final.