svn commit: samba-web r802 - in trunk/patches: .

Fri Sep 2 13:35:37 GMT 2005

Author: jerry
Date: 2005-09-02 13:35:37 +0000 (Fri, 02 Sep 2005)
New Revision: 802

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba-web&rev=802

Log:
adding the usrmgr.ex and groups patch
Added:
   trunk/patches/usrmgr_groups_v1.patch
Modified:
   trunk/patches/index.html


Changeset:
Modified: trunk/patches/index.html
===================================================================

--- trunk/patches/index.html	2005-09-01 14:54:44 UTC (rev 801)
+++ trunk/patches/index.html	2005-09-02 13:35:37 UTC (rev 802)
@@ -67,9 +67,12 @@
   <tr>
     <td><a href="/samba/patches/regcreatekey_winxp_v1.patch">RegCreateKeyEx() Failures</a></td>
     <td>Fixes a RPC fault when parsing the REG_CREATE_KEY_EX request structure from a 
-        Windows XP client during a domain logon.  Also reported to fix interoperability
-        issues with usrmgr.exe on Windows XP clients.</td>
+        Windows XP client during a domain logon.</td>
   </tr>
+  <tr>
+    <td><a href="/samba/patches/usrmgr_groups_v1.patch">Usrmgr.exe and Groups</a></td>
+    <td>Ensure accounts with the SeAddUsersPrivilege can modify domain and local group attributes.</td>
+  </tr>
   </tbody> 
 </table>
 

Added: trunk/patches/usrmgr_groups_v1.patch
===================================================================
--- trunk/patches/usrmgr_groups_v1.patch	2005-09-01 14:54:44 UTC (rev 801)
+++ trunk/patches/usrmgr_groups_v1.patch	2005-09-02 13:35:37 UTC (rev 802)
@@ -0,0 +1,73 @@
+diff -ubBrN --exclude-from=diff.excludes samba-3.0.20-orig/source/rpc_server/srv_samr_nt.c samba-3.0.20-new/source/rpc_server/srv_samr_nt.c
+--- samba-3.0.20-orig/source/rpc_server/srv_samr_nt.c	2005-08-07 18:09:55.000000000 -0500
++++ samba-3.0.20-new/source/rpc_server/srv_samr_nt.c	2005-09-01 16:34:06.000000000 -0500
+@@ -3927,6 +3927,8 @@
+ 	GROUP_MAP map;
+ 	GROUP_INFO_CTR *ctr;
+ 	uint32 acc_granted;
++	BOOL ret;
++	BOOL can_mod_accounts;
+ 
+ 	if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
+ 		return NT_STATUS_INVALID_HANDLE;
+@@ -3951,11 +3953,21 @@
+ 			return NT_STATUS_INVALID_INFO_CLASS;
+ 	}
+ 
+-	if(!pdb_update_group_mapping_entry(&map)) {
+-		return NT_STATUS_NO_SUCH_GROUP;
+-	}
++	can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
+ 
+-	return NT_STATUS_OK;
++	/******** BEGIN SeAddUsers BLOCK *********/
++
++	if ( can_mod_accounts )
++		become_root();
++	  
++	ret = pdb_update_group_mapping_entry(&map);
++
++	if ( can_mod_accounts )
++		unbecome_root();
++
++	/******** End SeAddUsers BLOCK *********/
++
++	return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
+ }
+ 
+ /*********************************************************************
+@@ -3970,6 +3982,8 @@
+ 	struct acct_info info;
+ 	ALIAS_INFO_CTR *ctr;
+ 	uint32 acc_granted;
++	BOOL ret;
++	BOOL can_mod_accounts;
+ 
+ 	if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted))
+ 		return NT_STATUS_INVALID_HANDLE;
+@@ -3992,11 +4006,21 @@
+ 			return NT_STATUS_INVALID_INFO_CLASS;
+ 	}
+ 
+-	if(!pdb_set_aliasinfo(&group_sid, &info)) {
+-		return NT_STATUS_ACCESS_DENIED;
+-	}
++        can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
+ 
+-	return NT_STATUS_OK;
++        /******** BEGIN SeAddUsers BLOCK *********/
++
++        if ( can_mod_accounts )
++                become_root();
++
++        ret = pdb_set_aliasinfo( &group_sid, &info );
++
++        if ( can_mod_accounts )
++                unbecome_root();
++
++        /******** End SeAddUsers BLOCK *********/
++
++	return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
+ }
+ 
+ /*********************************************************************

