svn commit: samba r23227 - in branches/SAMBA_3_0_26/source/rpc_server: .

Tue May 29 19:48:36 GMT 2007

Author: jerry
Date: 2007-05-29 19:48:34 +0000 (Tue, 29 May 2007)
New Revision: 23227

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=23227

Log:
merge current user to pipe_user changes on the lsa server pipe
Modified:
   branches/SAMBA_3_0_26/source/rpc_server/srv_lsa_nt.c


Changeset:
Modified: branches/SAMBA_3_0_26/source/rpc_server/srv_lsa_nt.c
===================================================================

--- branches/SAMBA_3_0_26/source/rpc_server/srv_lsa_nt.c	2007-05-29 19:36:13 UTC (rev 23226)
+++ branches/SAMBA_3_0_26/source/rpc_server/srv_lsa_nt.c	2007-05-29 19:48:34 UTC (rev 23227)
@@ -544,7 +544,7 @@
 	lsa_get_generic_sd(p->mem_ctx, &psd, &sd_size);
 
 	if(!se_access_check(psd, p->pipe_user.nt_user_token, des_access, &acc_granted, &status)) {
-		if (geteuid() != 0) {
+		if (p->pipe_user.ut.uid != sec_initial_uid()) {
 			return status;
 		}
 		DEBUG(4,("ACCESS should be DENIED (granted: %#010x;  required: %#010x)\n",
@@ -554,7 +554,7 @@
 
 	/* This is needed for lsa_open_account and rpcclient .... :-) */
 
-	if (geteuid() == 0)
+	if (p->pipe_user.ut.uid == sec_initial_uid())
 		acc_granted = POLICY_ALL_ACCESS;
 
 	/* associate the domain SID with the (unique) handle. */
@@ -875,7 +875,12 @@
 
 		if (name->type == SID_NAME_UNKNOWN) {
 			name->dom_idx = -1;
-			/* unknown sids should return the string representation of the SID */
+			/* Unknown sids should return the string
+			 * representation of the SID. Windows 2003 behaves
+			 * rather erratic here, in many cases it returns the
+			 * RID as 8 bytes hex, in others it returns the full
+			 * SID. We (Jerry/VL) could not figure out which the
+			 * hard cases are, so leave it with the SID.  */
 			name->name = talloc_asprintf(p->mem_ctx, "%s", 
 			                             sid_string_static(sids[i]));
 			if (name->name == NULL) {
@@ -1769,7 +1774,6 @@
 	struct lsa_info *info = NULL;
 	SE_PRIV mask;
 	PRIVILEGE_SET *set = NULL;
-	struct current_user user;
 
 	/* find the connection policy handle. */
 	if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
@@ -1778,8 +1782,7 @@
 	/* check to see if the pipe_user is root or a Domain Admin since 
 	   account_pol.tdb was already opened as root, this is all we have */
 	   
-	get_current_user( &user, p );
-	if ( user.ut.uid != sec_initial_uid() 
+	if ( p->pipe_user.ut.uid != sec_initial_uid() 
 		&& !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
 	{
 		return NT_STATUS_ACCESS_DENIED;
@@ -1810,7 +1813,6 @@
 	struct lsa_info *info = NULL;
 	SE_PRIV mask;
 	PRIVILEGE_SET *set = NULL;
-	struct current_user user;
 
 	/* find the connection policy handle. */
 	if (!find_policy_by_hnd(p, &q_u->pol, (void **)(void *)&info))
@@ -1819,8 +1821,7 @@
 	/* check to see if the pipe_user is root or a Domain Admin since 
 	   account_pol.tdb was already opened as root, this is all we have */
 	   
-	get_current_user( &user, p );
-	if ( user.ut.uid != sec_initial_uid()
+	if ( p->pipe_user.ut.uid != sec_initial_uid()
 		&& !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) 
 	{
 		return NT_STATUS_ACCESS_DENIED;
@@ -1971,7 +1972,6 @@
 	DOM_SID sid;
 	fstring privname;
 	UNISTR4_ARRAY *uni_privnames = q_u->rights;
-	struct current_user user;
 	
 
 	/* find the connection policy handle. */
@@ -1981,8 +1981,7 @@
 	/* check to see if the pipe_user is a Domain Admin since 
 	   account_pol.tdb was already opened as root, this is all we have */
 	   
-	get_current_user( &user, p );
-	if ( user.ut.uid != sec_initial_uid()
+	if ( p->pipe_user.ut.uid != sec_initial_uid()
 		&& !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) ) 
 	{
 		return NT_STATUS_ACCESS_DENIED;
@@ -2029,7 +2028,6 @@
 	DOM_SID sid;
 	fstring privname;
 	UNISTR4_ARRAY *uni_privnames = q_u->rights;
-	struct current_user user;
 	
 
 	/* find the connection policy handle. */
@@ -2039,8 +2037,7 @@
 	/* check to see if the pipe_user is a Domain Admin since 
 	   account_pol.tdb was already opened as root, this is all we have */
 	   
-	get_current_user( &user, p );
-	if ( user.ut.uid != sec_initial_uid()
+	if ( p->pipe_user.ut.uid != sec_initial_uid()
 		&& !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
 	{
 		return NT_STATUS_ACCESS_DENIED;

