svn commit: samba r16471 - branches/SAMBA_3_0/source/auth trunk/source/auth

Thu Jun 22 19:47:45 GMT 2006

Author: jerry
Date: 2006-06-22 19:47:44 +0000 (Thu, 22 Jun 2006)
New Revision: 16471

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=16471

Log:
Bug reported by Vitaly Protsko <villy at sft.ru> in 3.0.23rc1.
Add missing automatic add of the Administrators SID in the absence
of winbindd and precense of Domain Admins SID in the user's token.

	

Modified:
   branches/SAMBA_3_0/source/auth/auth_util.c
   trunk/source/auth/auth_util.c


Changeset:
Modified: branches/SAMBA_3_0/source/auth/auth_util.c
===================================================================

--- branches/SAMBA_3_0/source/auth/auth_util.c	2006-06-22 19:42:38 UTC (rev 16470)
+++ branches/SAMBA_3_0/source/auth/auth_util.c	2006-06-22 19:47:44 UTC (rev 16471)
@@ -688,6 +688,31 @@
 
 static NTSTATUS add_builtin_administrators( TALLOC_CTX *ctx, struct nt_user_token *token )
 {
+	DOM_SID domadm;
+
+	/* nothing to do if we aren't in a domain */
+	
+	if ( !(IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER) ) {
+		return NT_STATUS_OK;
+	}
+	
+	/* Find the Domain Admins SID */
+	
+	if ( IS_DC ) {
+		sid_copy( &domadm, get_global_sam_sid() );
+	} else {
+		if ( !secrets_fetch_domain_sid( lp_workgroup(), &domadm ) )
+			return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+	}
+	sid_append_rid( &domadm, DOMAIN_GROUP_RID_ADMINS );
+	
+	/* Add Administrators if the user beloongs to Domain Admins */
+	
+	if ( nt_token_check_sid( &domadm, token ) ) {
+		add_sid_to_array(token, &global_sid_Builtin_Administrators,
+				 &token->user_sids, &token->num_sids);
+	}
+	
 	return NT_STATUS_OK;
 }
 

Modified: trunk/source/auth/auth_util.c
===================================================================
--- trunk/source/auth/auth_util.c	2006-06-22 19:42:38 UTC (rev 16470)
+++ trunk/source/auth/auth_util.c	2006-06-22 19:47:44 UTC (rev 16471)
@@ -688,6 +688,31 @@
 
 static NTSTATUS add_builtin_administrators( TALLOC_CTX *ctx, struct nt_user_token *token )
 {
+	DOM_SID domadm;
+
+	/* nothing to do if we aren't in a domain */
+	
+	if ( !(IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER) ) {
+		return NT_STATUS_OK;
+	}
+	
+	/* Find the Domain Admins SID */
+	
+	if ( IS_DC ) {
+		sid_copy( &domadm, get_global_sam_sid() );
+	} else {
+		if ( !secrets_fetch_domain_sid( lp_workgroup(), &domadm ) )
+			return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+	}
+	sid_append_rid( &domadm, DOMAIN_GROUP_RID_ADMINS );
+	
+	/* Add Administrators if the user beloongs to Domain Admins */
+	
+	if ( nt_token_check_sid( &domadm, token ) ) {
+		add_sid_to_array(token, &global_sid_Builtin_Administrators,
+				 &token->user_sids, &token->num_sids);
+	}
+	
 	return NT_STATUS_OK;
 }
 

