[SCM] Samba Shared Repository - branch master updated - tevent-0-9-8-557-gced2429

Andrew Tridgell tridge at samba.org
Sat Sep 19 20:41:24 MDT 2009


The branch, master has been updated
       via  ced2429dfa586f27567f4d7b36a2ca76d566c965 (commit)
       via  d5b9409e634a43a953a8128a376ddd90a0cb5a23 (commit)
      from  8fd6ce613a4c1b35e1c1435bdd99af96de1d6bdf (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit ced2429dfa586f27567f4d7b36a2ca76d566c965
Author: Andrew Tridgell <tridge at samba.org>
Date:   Sat Sep 19 19:40:03 2009 -0700

    s4-auth: add SID_NT_ENTERPRISE_DCS is a server trust account

commit d5b9409e634a43a953a8128a376ddd90a0cb5a23
Author: Andrew Tridgell <tridge at samba.org>
Date:   Sat Sep 19 19:39:42 2009 -0700

    s4-drs: security checking on DRS needs to default to on

-----------------------------------------------------------------------

Summary of changes:
 source4/auth/sam.c                   |   14 +++++++++++++-
 source4/rpc_server/drsuapi/drsutil.c |    3 ++-
 2 files changed, 15 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 7403245..53de414 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -390,6 +390,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
 	/* SID structures for the expanded group memberships */
 	struct dom_sid **groupSIDs = NULL, **groupSIDs_2 = NULL;
 	int num_groupSIDs = 0, num_groupSIDs_2 = 0, i;
+	uint32_t userAccountControl;
 
 	server_info = talloc(mem_ctx, struct auth_serversupplied_info);
 	NT_STATUS_HAVE_NO_MEMORY(server_info);
@@ -404,7 +405,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
 
 	/* Expands the primary group */
 	status = authsam_expand_nested_groups(sam_ctx, primary_group_sid, false,
-		server_info, &groupSIDs, &num_groupSIDs);
+					      server_info, &groupSIDs, &num_groupSIDs);
 	if (!NT_STATUS_IS_OK(status)) {
 		talloc_free(server_info);
 		return status;
@@ -436,6 +437,17 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
 	server_info->account_sid = account_sid;
 	server_info->primary_group_sid = primary_group_sid;
 	
+	/* DCs also get SID_NT_ENTERPRISE_DCS */
+	userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
+	if (userAccountControl & UF_SERVER_TRUST_ACCOUNT) {
+		groupSIDs = talloc_realloc(server_info, groupSIDs, struct dom_sid *,
+					   num_groupSIDs+1);
+		NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, server_info);
+		groupSIDs[num_groupSIDs] = dom_sid_parse_talloc(groupSIDs, SID_NT_ENTERPRISE_DCS);
+		NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs[num_groupSIDs], server_info);
+		num_groupSIDs++;
+	}
+
 	server_info->domain_groups = groupSIDs;
 	server_info->n_domain_groups = num_groupSIDs;
 
diff --git a/source4/rpc_server/drsuapi/drsutil.c b/source4/rpc_server/drsuapi/drsutil.c
index 54bcdab..03116f2 100644
--- a/source4/rpc_server/drsuapi/drsutil.c
+++ b/source4/rpc_server/drsuapi/drsutil.c
@@ -105,7 +105,8 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
 
 WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, const char* call)
 {
-	if (lp_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL, "drs", "disable_sec_check", true)) {
+	if (lp_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL, 
+			 "drs", "disable_sec_check", false)) {
 		return WERR_OK;
 	}
 


-- 
Samba Shared Repository


More information about the samba-cvs mailing list