Index: source/include/privileges.h =================================================================== --- source/include/privileges.h (revision 5061) +++ source/include/privileges.h (revision 5206) @@ -1,3 +1,4 @@ + /* Unix SMB/CIFS implementation. SMB parameters and setup @@ -59,6 +60,7 @@ /* defined in lib/privilegs.c */ +extern const SE_PRIV se_priv_none; extern const SE_PRIV se_machine_account; extern const SE_PRIV se_print_operator; extern const SE_PRIV se_add_users; Index: source/include/smb.h =================================================================== --- source/include/smb.h (revision 5061) +++ source/include/smb.h (revision 5206) @@ -226,7 +226,7 @@ #define ACB_MNS 0x0020 /* 1 = MNS logon user account */ #define ACB_DOMTRUST 0x0040 /* 1 = Interdomain trust account */ #define ACB_WSTRUST 0x0080 /* 1 = Workstation trust account */ -#define ACB_SVRTRUST 0x0100 /* 1 = Server trust account */ +#define ACB_SVRTRUST 0x0100 /* 1 = Server trust account (BDC) */ #define ACB_PWNOEXP 0x0200 /* 1 = User password does not expire */ #define ACB_AUTOLOCK 0x0400 /* 1 = Account auto locked */ Index: source/utils/net_rpc_join.c =================================================================== --- source/utils/net_rpc_join.c (revision 5061) +++ source/utils/net_rpc_join.c (revision 5206) @@ -212,7 +212,7 @@ if (!NT_STATUS_IS_OK(result) && !NT_STATUS_EQUAL(result, NT_STATUS_USER_EXISTS)) { - d_printf("Create of workstation account failed\n"); + d_printf("Creation of workstation account failed\n"); /* If NT_STATUS_ACCESS_DENIED then we have a valid username/password combo but the user does not have Index: source/rpc_server/srv_samr_nt.c =================================================================== --- source/rpc_server/srv_samr_nt.c (revision 5061) +++ source/rpc_server/srv_samr_nt.c (revision 5206) @@ -2333,17 +2333,29 @@ pw = Get_Pwnam(account); /* determine which user right we need to check based on the acb_info */ - if ( acb_info == ACB_WSTRUST ) { + + if ( acb_info & ACB_WSTRUST ) + { + pstrcpy(add_script, lp_addmachine_script()); se_priv_copy( &se_rights, &se_machine_account ); + can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + } + else if ( acb_info & ACB_NORMAL ) + { + pstrcpy(add_script, lp_adduser_script()); + se_priv_copy( &se_rights, &se_add_users ); + can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); + } + else if ( acb_info & (ACB_SVRTRUST|ACB_DOMTRUST) ) + { pstrcpy(add_script, lp_addmachine_script()); + if ( lp_enable_privileges() ) { + /* only Domain Admins can add a BDC or domain trust */ + se_priv_copy( &se_rights, &se_priv_none ); + can_add_account = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); + } } - else { - se_priv_copy( &se_rights, &se_add_users ); - pstrcpy(add_script, lp_adduser_script()); - } - - can_add_account = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); - + DEBUG(5, ("_samr_create_user: %s can add this account : %s\n", p->pipe_user_name, can_add_account ? "True":"False" )); @@ -3060,7 +3072,7 @@ uint32 acc_required; BOOL ret; BOOL has_enough_rights; - SE_PRIV se_rights; + uint32 acb_info; DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__)); @@ -3097,16 +3109,18 @@ } /* deal with machine password changes differently from userinfo changes */ - - if ( pdb_get_acct_ctrl(pwd) & ACB_WSTRUST ) - se_priv_copy( &se_rights, &se_machine_account ); - else - se_priv_copy( &se_rights, &se_add_users ); - /* check to see if we have the sufficient rights */ - has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); - + acb_info = pdb_get_acct_ctrl(pwd); + if ( acb_info & ACB_WSTRUST ) + has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account); + else if ( acb_info & ACB_NORMAL ) + has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); + else if ( acb_info & (ACB_SVRTRUST|ACB_DOMTRUST) ) { + if ( lp_enable_privileges() ) + has_enough_rights = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); + } + DEBUG(5, ("_samr_set_userinfo: %s does%s possess sufficient rights\n", p->pipe_user_name, has_enough_rights ? "" : " not")); @@ -3199,7 +3213,7 @@ uint32 acc_required; BOOL ret; BOOL has_enough_rights; - SE_PRIV se_rights; + uint32 acb_info; DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__)); @@ -3237,17 +3251,16 @@ return NT_STATUS_NO_SUCH_USER; } - /* deal with machine password changes differently from userinfo changes */ - - if ( pdb_get_acct_ctrl(pwd) & ACB_WSTRUST ) - se_priv_copy( &se_rights, &se_machine_account ); - else - se_priv_copy( &se_rights, &se_add_users ); - - /* check to see if we have the sufficient rights */ - - has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_rights ); - + acb_info = pdb_get_acct_ctrl(pwd); + if ( acb_info & ACB_WSTRUST ) + has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account); + else if ( acb_info & ACB_NORMAL ) + has_enough_rights = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users ); + else if ( acb_info & (ACB_SVRTRUST|ACB_DOMTRUST) ) { + if ( lp_enable_privileges() ) + has_enough_rights = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ); + } + DEBUG(5, ("_samr_set_userinfo: %s does%s possess sufficient rights\n", p->pipe_user_name, has_enough_rights ? "" : " not")); Index: source/lib/privileges.c =================================================================== --- source/lib/privileges.c (revision 5061) +++ source/lib/privileges.c (revision 5206) @@ -29,11 +29,11 @@ static SE_PRIV se_priv_all = SE_ALL_PRIVS; static SE_PRIV se_priv_end = SE_END; -static SE_PRIV se_priv_none = SE_NONE; /* Define variables for all privileges so we can use the SE_PRIV* in the various se_priv_XXX() functions */ +const SE_PRIV se_priv_none = SE_NONE; const SE_PRIV se_machine_account = SE_MACHINE_ACCOUNT; const SE_PRIV se_print_operator = SE_PRINT_OPERATOR; const SE_PRIV se_add_users = SE_ADD_USERS;