mirror of
https://github.com/samba-team/samba.git
synced 2025-07-31 20:22:15 +03:00
r5203: additional changes for BUG 2291 to restrict who can join a BDC and add domain trusts
This commit is contained in:
committed by
Gerald (Jerry) Carter
parent
c3edeba62d
commit
5ec1faa2ad
@ -1,3 +1,4 @@
|
||||
|
||||
/*
|
||||
Unix SMB/CIFS implementation.
|
||||
SMB parameters and setup
|
||||
@ -59,6 +60,7 @@ typedef struct {
|
||||
|
||||
/* defined in lib/privilegs.c */
|
||||
|
||||
extern const SE_PRIV se_priv_none;
|
||||
extern const SE_PRIV se_machine_account;
|
||||
extern const SE_PRIV se_print_operator;
|
||||
extern const SE_PRIV se_add_users;
|
||||
|
@ -226,7 +226,7 @@ typedef struct nttime_info
|
||||
#define ACB_MNS 0x0020 /* 1 = MNS logon user account */
|
||||
#define ACB_DOMTRUST 0x0040 /* 1 = Interdomain trust account */
|
||||
#define ACB_WSTRUST 0x0080 /* 1 = Workstation trust account */
|
||||
#define ACB_SVRTRUST 0x0100 /* 1 = Server trust account */
|
||||
#define ACB_SVRTRUST 0x0100 /* 1 = Server trust account (BDC) */
|
||||
#define ACB_PWNOEXP 0x0200 /* 1 = User password does not expire */
|
||||
#define ACB_AUTOLOCK 0x0400 /* 1 = Account auto locked */
|
||||
|
||||
|
@ -29,11 +29,11 @@
|
||||
|
||||
static SE_PRIV se_priv_all = SE_ALL_PRIVS;
|
||||
static SE_PRIV se_priv_end = SE_END;
|
||||
static SE_PRIV se_priv_none = SE_NONE;
|
||||
|
||||
/* Define variables for all privileges so we can use the
|
||||
SE_PRIV* in the various se_priv_XXX() functions */
|
||||
|
||||
const SE_PRIV se_priv_none = SE_NONE;
|
||||
const SE_PRIV se_machine_account = SE_MACHINE_ACCOUNT;
|
||||
const SE_PRIV se_print_operator = SE_PRINT_OPERATOR;
|
||||
const SE_PRIV se_add_users = SE_ADD_USERS;
|
||||
|
@ -2259,17 +2259,27 @@ NTSTATUS _samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_CREA
|
||||
pw = Get_Pwnam(account);
|
||||
|
||||
/* determine which user right we need to check based on the acb_info */
|
||||
if ( acb_info & (ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) {
|
||||
se_priv_copy( &se_rights, &se_machine_account );
|
||||
|
||||
if ( (acb_info & ACB_WSTRUST) == ACB_WSTRUST )
|
||||
{
|
||||
pstrcpy(add_script, lp_addmachine_script());
|
||||
}
|
||||
else {
|
||||
se_priv_copy( &se_rights, &se_add_users );
|
||||
se_priv_copy( &se_rights, &se_machine_account );
|
||||
can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
|
||||
}
|
||||
else if ( (acb_info & ACB_WSTRUST) == ACB_NORMAL )
|
||||
{
|
||||
pstrcpy(add_script, lp_adduser_script());
|
||||
se_priv_copy( &se_rights, &se_add_users );
|
||||
can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
|
||||
}
|
||||
else if ( ((acb_info & ACB_SVRTRUST) == ACB_SVRTRUST) || ((acb_info & ACB_DOMTRUST) == ACB_DOMTRUST) )
|
||||
{
|
||||
pstrcpy(add_script, lp_addmachine_script());
|
||||
/* only Domain Admins can add a BDC or domain trust */
|
||||
se_priv_copy( &se_rights, &se_priv_none );
|
||||
can_add_account = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS );
|
||||
}
|
||||
|
||||
can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights );
|
||||
|
||||
|
||||
DEBUG(5, ("_samr_create_user: %s can add this account : %s\n",
|
||||
p->pipe_user_name, can_add_account ? "True":"False" ));
|
||||
|
||||
|
@ -212,7 +212,7 @@ int net_rpc_join_newstyle(int argc, const char **argv)
|
||||
|
||||
if (!NT_STATUS_IS_OK(result) &&
|
||||
!NT_STATUS_EQUAL(result, NT_STATUS_USER_EXISTS)) {
|
||||
d_printf("Create of workstation account failed\n");
|
||||
d_printf("Creation of workstation account failed\n");
|
||||
|
||||
/* If NT_STATUS_ACCESS_DENIED then we have a valid
|
||||
username/password combo but the user does not have
|
||||
|
Reference in New Issue
Block a user