svn commit: samba-web r802 - in trunk/patches: .
jerry at samba.org
jerry at samba.org
Fri Sep 2 13:35:37 GMT 2005
Author: jerry
Date: 2005-09-02 13:35:37 +0000 (Fri, 02 Sep 2005)
New Revision: 802
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba-web&rev=802
Log:
adding the usrmgr.ex and groups patch
Added:
trunk/patches/usrmgr_groups_v1.patch
Modified:
trunk/patches/index.html
Changeset:
Modified: trunk/patches/index.html
===================================================================
--- trunk/patches/index.html 2005-09-01 14:54:44 UTC (rev 801)
+++ trunk/patches/index.html 2005-09-02 13:35:37 UTC (rev 802)
@@ -67,9 +67,12 @@
<tr>
<td><a href="/samba/patches/regcreatekey_winxp_v1.patch">RegCreateKeyEx() Failures</a></td>
<td>Fixes a RPC fault when parsing the REG_CREATE_KEY_EX request structure from a
- Windows XP client during a domain logon. Also reported to fix interoperability
- issues with usrmgr.exe on Windows XP clients.</td>
+ Windows XP client during a domain logon.</td>
</tr>
+ <tr>
+ <td><a href="/samba/patches/usrmgr_groups_v1.patch">Usrmgr.exe and Groups</a></td>
+ <td>Ensure accounts with the SeAddUsersPrivilege can modify domain and local group attributes.</td>
+ </tr>
</tbody>
</table>
Added: trunk/patches/usrmgr_groups_v1.patch
===================================================================
--- trunk/patches/usrmgr_groups_v1.patch 2005-09-01 14:54:44 UTC (rev 801)
+++ trunk/patches/usrmgr_groups_v1.patch 2005-09-02 13:35:37 UTC (rev 802)
@@ -0,0 +1,73 @@
+diff -ubBrN --exclude-from=diff.excludes samba-3.0.20-orig/source/rpc_server/srv_samr_nt.c samba-3.0.20-new/source/rpc_server/srv_samr_nt.c
+--- samba-3.0.20-orig/source/rpc_server/srv_samr_nt.c 2005-08-07 18:09:55.000000000 -0500
++++ samba-3.0.20-new/source/rpc_server/srv_samr_nt.c 2005-09-01 16:34:06.000000000 -0500
+@@ -3927,6 +3927,8 @@
+ GROUP_MAP map;
+ GROUP_INFO_CTR *ctr;
+ uint32 acc_granted;
++ BOOL ret;
++ BOOL can_mod_accounts;
+
+ if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
+ return NT_STATUS_INVALID_HANDLE;
+@@ -3951,11 +3953,21 @@
+ return NT_STATUS_INVALID_INFO_CLASS;
+ }
+
+- if(!pdb_update_group_mapping_entry(&map)) {
+- return NT_STATUS_NO_SUCH_GROUP;
+- }
++ can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
+
+- return NT_STATUS_OK;
++ /******** BEGIN SeAddUsers BLOCK *********/
++
++ if ( can_mod_accounts )
++ become_root();
++
++ ret = pdb_update_group_mapping_entry(&map);
++
++ if ( can_mod_accounts )
++ unbecome_root();
++
++ /******** End SeAddUsers BLOCK *********/
++
++ return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
+ }
+
+ /*********************************************************************
+@@ -3970,6 +3982,8 @@
+ struct acct_info info;
+ ALIAS_INFO_CTR *ctr;
+ uint32 acc_granted;
++ BOOL ret;
++ BOOL can_mod_accounts;
+
+ if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted))
+ return NT_STATUS_INVALID_HANDLE;
+@@ -3992,11 +4006,21 @@
+ return NT_STATUS_INVALID_INFO_CLASS;
+ }
+
+- if(!pdb_set_aliasinfo(&group_sid, &info)) {
+- return NT_STATUS_ACCESS_DENIED;
+- }
++ can_mod_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
+
+- return NT_STATUS_OK;
++ /******** BEGIN SeAddUsers BLOCK *********/
++
++ if ( can_mod_accounts )
++ become_root();
++
++ ret = pdb_set_aliasinfo( &group_sid, &info );
++
++ if ( can_mod_accounts )
++ unbecome_root();
++
++ /******** End SeAddUsers BLOCK *********/
++
++ return ret ? NT_STATUS_OK : NT_STATUS_ACCESS_DENIED;
+ }
+
+ /*********************************************************************
More information about the samba-cvs
mailing list