[SCM] Samba Shared Repository - branch master updated -
release-4-0-0alpha7-1649-g5adb3b8
Jeremy Allison
jra at samba.org
Fri May 15 20:37:43 GMT 2009
The branch, master has been updated
via 5adb3b884130d6d292a4e25e3b32c50bc884dbf9 (commit)
from 2b784738d7ce444fb63e2cac91ad2e220cc6e551 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 5adb3b884130d6d292a4e25e3b32c50bc884dbf9
Author: Jeremy Allison <jra at samba.org>
Date: Fri May 15 13:36:43 2009 -0700
Add extra abilities for a user with SeAddUsers, so they
can manipulate groups and aliases.
Jeremy.
-----------------------------------------------------------------------
Summary of changes:
source3/rpc_server/srv_samr_nt.c | 17 +++++++++++++++--
1 files changed, 15 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 8b1a90a..f1725e2 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -537,6 +537,7 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p,
uint32 des_access = r->in.access_mask;
NTSTATUS status;
size_t sd_size;
+ uint32_t extra_access = SAMR_DOMAIN_ACCESS_CREATE_USER;
SE_PRIV se_rights;
/* find the connection policy handle. */
@@ -555,13 +556,25 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p,
/*
* Users with SeMachineAccount or SeAddUser get additional
- * SAMR_DOMAIN_ACCESS_CREATE_USER access, but no more.
+ * SAMR_DOMAIN_ACCESS_CREATE_USER access.
*/
se_priv_copy( &se_rights, &se_machine_account );
se_priv_add( &se_rights, &se_add_users );
+ /*
+ * Users with SeAddUser get the ability to manipulate groups
+ * and aliases.
+ */
+ if (user_has_any_privilege(p->server_info->ptok, &se_add_users)) {
+ extra_access |= (SAMR_DOMAIN_ACCESS_CREATE_GROUP |
+ SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS |
+ SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT |
+ SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS |
+ SAMR_DOMAIN_ACCESS_CREATE_ALIAS);
+ }
+
status = access_check_samr_object( psd, p->server_info->ptok,
- &se_rights, SAMR_DOMAIN_ACCESS_CREATE_USER, des_access,
+ &se_rights, extra_access, des_access,
&acc_granted, "_samr_OpenDomain" );
if ( !NT_STATUS_IS_OK(status) )
--
Samba Shared Repository
More information about the samba-cvs
mailing list