[SCM] Samba Shared Repository - branch master updated - tevent-0-9-8-557-gced2429
Andrew Tridgell
tridge at samba.org
Sat Sep 19 20:41:24 MDT 2009
The branch, master has been updated
via ced2429dfa586f27567f4d7b36a2ca76d566c965 (commit)
via d5b9409e634a43a953a8128a376ddd90a0cb5a23 (commit)
from 8fd6ce613a4c1b35e1c1435bdd99af96de1d6bdf (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit ced2429dfa586f27567f4d7b36a2ca76d566c965
Author: Andrew Tridgell <tridge at samba.org>
Date: Sat Sep 19 19:40:03 2009 -0700
s4-auth: add SID_NT_ENTERPRISE_DCS is a server trust account
commit d5b9409e634a43a953a8128a376ddd90a0cb5a23
Author: Andrew Tridgell <tridge at samba.org>
Date: Sat Sep 19 19:39:42 2009 -0700
s4-drs: security checking on DRS needs to default to on
-----------------------------------------------------------------------
Summary of changes:
source4/auth/sam.c | 14 +++++++++++++-
source4/rpc_server/drsuapi/drsutil.c | 3 ++-
2 files changed, 15 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 7403245..53de414 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -390,6 +390,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
/* SID structures for the expanded group memberships */
struct dom_sid **groupSIDs = NULL, **groupSIDs_2 = NULL;
int num_groupSIDs = 0, num_groupSIDs_2 = 0, i;
+ uint32_t userAccountControl;
server_info = talloc(mem_ctx, struct auth_serversupplied_info);
NT_STATUS_HAVE_NO_MEMORY(server_info);
@@ -404,7 +405,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
/* Expands the primary group */
status = authsam_expand_nested_groups(sam_ctx, primary_group_sid, false,
- server_info, &groupSIDs, &num_groupSIDs);
+ server_info, &groupSIDs, &num_groupSIDs);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(server_info);
return status;
@@ -436,6 +437,17 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
server_info->account_sid = account_sid;
server_info->primary_group_sid = primary_group_sid;
+ /* DCs also get SID_NT_ENTERPRISE_DCS */
+ userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
+ if (userAccountControl & UF_SERVER_TRUST_ACCOUNT) {
+ groupSIDs = talloc_realloc(server_info, groupSIDs, struct dom_sid *,
+ num_groupSIDs+1);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, server_info);
+ groupSIDs[num_groupSIDs] = dom_sid_parse_talloc(groupSIDs, SID_NT_ENTERPRISE_DCS);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs[num_groupSIDs], server_info);
+ num_groupSIDs++;
+ }
+
server_info->domain_groups = groupSIDs;
server_info->n_domain_groups = num_groupSIDs;
diff --git a/source4/rpc_server/drsuapi/drsutil.c b/source4/rpc_server/drsuapi/drsutil.c
index 54bcdab..03116f2 100644
--- a/source4/rpc_server/drsuapi/drsutil.c
+++ b/source4/rpc_server/drsuapi/drsutil.c
@@ -105,7 +105,8 @@ int drsuapi_search_with_extended_dn(struct ldb_context *ldb,
WERROR drs_security_level_check(struct dcesrv_call_state *dce_call, const char* call)
{
- if (lp_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL, "drs", "disable_sec_check", true)) {
+ if (lp_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
+ "drs", "disable_sec_check", false)) {
return WERR_OK;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list