7238 – Users with SeMachineAccountPrivilege right are able to change users and groups accounts

Bug 7238 - Users with SeMachineAccountPrivilege right are able to change users and groups accounts

Summary: Users with SeMachineAccountPrivilege right are able to change users and group...

Status:	NEW

Alias:	None

Product:	Samba 3.3
Classification:	Unclassified
Component:	User & Group Accounts (show other bugs)
Version:	3.3.4
Hardware:	PPC Linux

Importance:	P3 major
Target Milestone:	---
Assignee:	Guenther Deschner
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-03-11 06:38 UTC by Carlos Eduardo Pedroza Santiviago
Modified:	2010-03-18 09:21 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos Eduardo Pedroza Santiviago 2010-03-11 06:38:04 UTC

Users with SeMachineAccountPrivilege right are able to change users and groups accounts

Using samba-3.3.4-0.1.146 on PPC SLES10.

Comment 1 Volker Lendecke 2010-03-11 07:02:56 UTC

Can you please upload your smb.conf together with a debug level 10 log of smbd doing an operation that it should have denied?

Thanks,

Volker

Comment 2 Guenther Deschner 2010-03-11 07:35:02 UTC

Volker, I remember that we worked (hopefully fixed) exactly this during the samr cleanup for 3.4.

Comment 3 Volker Lendecke 2010-03-11 07:54:24 UTC

Ok, you're the boss here :-)

Volker

Comment 4 Guenther Deschner 2010-03-12 07:21:07 UTC

Do you have a chance to use a recent 3.4 release ? There have been quite some fixes in the area of these access checks that should resolve your issue. 

There won't be a new 3.3.x release as this is a discontinued series, so no backports for these access checks are available right now.

Comment 5 Carlos Eduardo Pedroza Santiviago 2010-03-18 09:21:30 UTC

I've upgraded to 3.5.1 and will look into this.