[SCM] Samba Shared Repository - branch master updated -
release-4-0-0alpha7-1878-g227553f
Andrew Bartlett
abartlet at samba.org
Fri May 29 07:12:53 GMT 2009
The branch, master has been updated
via 227553f904186112e9218c4a7c8b1b46fef5b897 (commit)
from b83f84c8c3be1ce0319a9f36704e3bf4718e159f (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 227553f904186112e9218c4a7c8b1b46fef5b897
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri May 29 17:12:06 2009 +1000
Win2k3 don't allow creating of domain trust accounts over SAMR
-----------------------------------------------------------------------
Summary of changes:
source4/rpc_server/samr/dcesrv_samr.c | 10 +++++-----
source4/torture/rpc/samr.c | 2 +-
2 files changed, 6 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index fabc88d..ec60ac7 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -1213,6 +1213,9 @@ static NTSTATUS dcesrv_samr_CreateUser2(struct dcesrv_call_state *dce_call, TALL
if (d_state->builtin) {
DEBUG(5, ("Cannot create a user in the BUILTIN domain"));
return NT_STATUS_ACCESS_DENIED;
+ } else if (r->in.acct_flags == ACB_DOMTRUST) {
+ /* Domain trust accounts must be created by the LSA calls */
+ return NT_STATUS_ACCESS_DENIED;
}
account_name = r->in.account_name->string;
@@ -1258,6 +1261,7 @@ static NTSTATUS dcesrv_samr_CreateUser2(struct dcesrv_call_state *dce_call, TALL
} else if (r->in.acct_flags == ACB_WSTRUST) {
if (cn_name[cn_name_len - 1] != '$') {
+ ldb_transaction_cancel(d_state->sam_ctx);
return NT_STATUS_FOOBAR;
}
cn_name[cn_name_len - 1] = '\0';
@@ -1267,17 +1271,13 @@ static NTSTATUS dcesrv_samr_CreateUser2(struct dcesrv_call_state *dce_call, TALL
} else if (r->in.acct_flags == ACB_SVRTRUST) {
if (cn_name[cn_name_len - 1] != '$') {
+ ldb_transaction_cancel(d_state->sam_ctx);
return NT_STATUS_FOOBAR;
}
cn_name[cn_name_len - 1] = '\0';
container = "OU=Domain Controllers";
obj_class = "computer";
samdb_msg_add_int(d_state->sam_ctx, mem_ctx, msg, "primaryGroupID", DOMAIN_RID_DCS);
-
- } else if (r->in.acct_flags == ACB_DOMTRUST) {
- container = "CN=Users";
- obj_class = "user";
-
} else {
ldb_transaction_cancel(d_state->sam_ctx);
return NT_STATUS_INVALID_PARAMETER;
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index 0072a01..a1a60bf 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -4372,7 +4372,7 @@ static bool test_CreateUser2(struct dcerpc_pipe *p, struct torture_context *tctx
{ ACB_SVRTRUST, TEST_MACHINENAME, NT_STATUS_OK },
{ ACB_SVRTRUST | ACB_DISABLED, TEST_MACHINENAME, NT_STATUS_INVALID_PARAMETER },
{ ACB_SVRTRUST | ACB_PWNOEXP, TEST_MACHINENAME, NT_STATUS_INVALID_PARAMETER },
- { ACB_DOMTRUST, TEST_DOMAINNAME, NT_STATUS_OK },
+ { ACB_DOMTRUST, TEST_DOMAINNAME, NT_STATUS_ACCESS_DENIED },
{ ACB_DOMTRUST | ACB_DISABLED, TEST_DOMAINNAME, NT_STATUS_INVALID_PARAMETER },
{ ACB_DOMTRUST | ACB_PWNOEXP, TEST_DOMAINNAME, NT_STATUS_INVALID_PARAMETER },
{ 0, TEST_ACCOUNT_NAME, NT_STATUS_INVALID_PARAMETER },
--
Samba Shared Repository
More information about the samba-cvs
mailing list