The Samba-Bugzilla – Bug 6342
SeMachineAccountPrivilege works same as SeAddUsersPrivilege
Last modified: 2009-06-12 05:19:43 UTC
SeMachineAccountPrivilege works same as SeAddUsersPrivilege.
In Samba domain environment,
a user granted SeMachineAccountPrivilege can modify all users' property, password, account policy, same as a user granted SeAddUsersPrivilege.
Is this by design?
A user granted SeAddUsersPrivilege can not add a machine to the domain.
A user granted SeMachineAccountPrivilege can add a machine to the domain.
So these 2 privileges work well around joining a domain.
I guess it's by design. Creating a machine account is creating another user. Jeremy, is that assumption right?
Actually no, I don't think so. SeMachineAccountPrivilage shouldn't allow you to edit normal users. I'll look at the code in this one.
Created attachment 4148 [details]
Patch for master/3.4 to test.
Patch passes make test, so that's something.TAKAHASHI-san, can you test this as well please ?
Created attachment 4150 [details]
Pater patch - fixes more....
I meant "later" not "pater" :-).
Patch id=4150 failed for me:
samba33a:/home/local/Work/samba-3.3.4/source# patch -p2 < ../patch3.txt
patching file lib/privileges_basic.c
patching file rpc_server/srv_samr_nt.c
Hunk #1 succeeded at 174 (offset -11 lines).
Hunk #2 succeeded at 2139 (offset -68 lines).
Hunk #3 FAILED at 2169.
Hunk #4 FAILED at 4661.
Hunk #5 FAILED at 4715.
Hunk #6 succeeded at 4357 with fuzz 1 (offset -575 lines).
3 out of 6 hunks FAILED -- saving rejects to file rpc_server/srv_samr_nt.c.rej
This patch must be applied for 3.4 tree?
I will try to manually apply this patch for 3.3.4 later.
Sorry, this code is being developed in master/3.4 not for 3.3.
This is a large enough change I want to roll it out in 3.4 only. Guenther and I are still working on this.
Created attachment 4151 [details]
Latest patch for master/3.4
Ok, here is the best fix I can come up with until gd finishes his testing. The only part I'm unsure about is the part of the fix marked :
+ * JRA - TESTME. We just created this user so we
+ * had rights to create them. Do we need to check
+ * any further access on this object ? Can't we
+ * just assume we have all the rights we need ?
which is to do with the access rights on a user we just created. Please test !
So this one won't be fixed in 3.3?
We could of course but the patch would not be tiny :-)
No, this is way too much change for 3.3 or 3.2.
Okay, so it makes sense to update the component.
This has been resolved and successfully tested for 3.4 final.