mirror of
https://github.com/samba-team/samba.git
synced 2025-02-10 13:57:47 +03:00
r4874: add DOmain Admins (Full Control) to the default printer sd if we are a DC
This commit is contained in:
Gerald Carter
Gerald (Jerry) Carter
parent
c646829e32
commit
8971a85442
@ -4806,7 +4806,8 @@ WERROR nt_printing_setsec(const char *printername, SEC_DESC_BUF *secdesc_ctr)
|
|||||||
|
|
||||||
static SEC_DESC_BUF *construct_default_printer_sdb(TALLOC_CTX *ctx)
|
static SEC_DESC_BUF *construct_default_printer_sdb(TALLOC_CTX *ctx)
|
||||||
{
|
{
|
||||||
SEC_ACE ace[3];
|
SEC_ACE ace[5]; /* max number of ace entries */
|
||||||
|
int i = 0;
|
||||||
SEC_ACCESS sa;
|
SEC_ACCESS sa;
|
||||||
SEC_ACL *psa = NULL;
|
SEC_ACL *psa = NULL;
|
||||||
SEC_DESC_BUF *sdb = NULL;
|
SEC_DESC_BUF *sdb = NULL;
|
||||||
@ -4817,7 +4818,7 @@ static SEC_DESC_BUF *construct_default_printer_sdb(TALLOC_CTX *ctx)
|
|||||||
/* Create an ACE where Everyone is allowed to print */
|
/* Create an ACE where Everyone is allowed to print */
|
||||||
|
|
||||||
init_sec_access(&sa, PRINTER_ACE_PRINT);
|
init_sec_access(&sa, PRINTER_ACE_PRINT);
|
||||||
init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
|
init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
|
||||||
sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
|
sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
|
||||||
|
|
||||||
/* Make the security descriptor owned by the Administrators group
|
/* Make the security descriptor owned by the Administrators group
|
||||||
@ -4836,20 +4837,38 @@ static SEC_DESC_BUF *construct_default_printer_sdb(TALLOC_CTX *ctx)
|
|||||||
}
|
}
|
||||||
|
|
||||||
init_sec_access(&sa, PRINTER_ACE_FULL_CONTROL);
|
init_sec_access(&sa, PRINTER_ACE_FULL_CONTROL);
|
||||||
init_sec_ace(&ace[1], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
|
init_sec_ace(&ace[i++], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
|
||||||
sa, SEC_ACE_FLAG_OBJECT_INHERIT |
|
sa, SEC_ACE_FLAG_OBJECT_INHERIT |
|
||||||
SEC_ACE_FLAG_INHERIT_ONLY);
|
SEC_ACE_FLAG_INHERIT_ONLY);
|
||||||
|
|
||||||
init_sec_access(&sa, PRINTER_ACE_FULL_CONTROL);
|
init_sec_access(&sa, PRINTER_ACE_FULL_CONTROL);
|
||||||
init_sec_ace(&ace[2], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
|
init_sec_ace(&ace[i++], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
|
||||||
sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
|
sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
|
||||||
|
|
||||||
|
/* Add the domain admins group if we are a DC */
|
||||||
|
|
||||||
|
if ( IS_DC ) {
|
||||||
|
DOM_SID domadmins_sid;
|
||||||
|
|
||||||
|
sid_copy(&domadmins_sid, get_global_sam_sid());
|
||||||
|
sid_append_rid(&domadmins_sid, DOMAIN_GROUP_RID_ADMINS);
|
||||||
|
|
||||||
|
init_sec_access(&sa, PRINTER_ACE_FULL_CONTROL);
|
||||||
|
init_sec_ace(&ace[i++], &domadmins_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
|
||||||
|
sa, SEC_ACE_FLAG_OBJECT_INHERIT |
|
||||||
|
SEC_ACE_FLAG_INHERIT_ONLY);
|
||||||
|
|
||||||
|
init_sec_access(&sa, PRINTER_ACE_FULL_CONTROL);
|
||||||
|
init_sec_ace(&ace[i++], &domadmins_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
|
||||||
|
sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
|
||||||
|
}
|
||||||
|
|
||||||
/* The ACL revision number in rpc_secdesc.h differs from the one
|
/* The ACL revision number in rpc_secdesc.h differs from the one
|
||||||
created by NT when setting ACE entries in printer
|
created by NT when setting ACE entries in printer
|
||||||
descriptors. NT4 complains about the property being edited by a
|
descriptors. NT4 complains about the property being edited by a
|
||||||
NT5 machine. */
|
NT5 machine. */
|
||||||
|
|
||||||
if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) != NULL) {
|
if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) != NULL) {
|
||||||
psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE,
|
psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE,
|
||||||
&owner_sid, NULL,
|
&owner_sid, NULL,
|
||||||
NULL, psa, &sd_size);
|
NULL, psa, &sd_size);
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user