struct netr_NETLOGON_INFO_3 *info3;
struct netr_NETLOGON_INFO_4 *info4;
const char *fn;
+ uint32_t acct_ctrl;
switch (p->hdr_req.opnum) {
case NDR_NETR_LOGONCONTROL:
return WERR_INVALID_PARAM;
}
+ acct_ctrl = pdb_get_acct_ctrl(p->server_info->sam_account);
+
switch (r->in.function_code) {
case NETLOGON_CONTROL_TC_VERIFY:
case NETLOGON_CONTROL_CHANGE_PASSWORD:
case NETLOGON_CONTROL_REDISCOVER:
- if (!nt_token_check_domain_rid(p->server_info->ptok, DOMAIN_GROUP_RID_ADMINS) &&
- !nt_token_check_sid(&global_sid_Builtin_Administrators, p->server_info->ptok)) {
+ if ((geteuid() != sec_initial_uid()) &&
+ !nt_token_check_domain_rid(p->server_info->ptok, DOMAIN_RID_ADMINS) &&
+ !nt_token_check_sid(&global_sid_Builtin_Administrators, p->server_info->ptok) &&
+ !(acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST))) {
return WERR_ACCESS_DENIED;
}
break;
case NETLOGON_CONTROL_SYNCHRONIZE:
case NETLOGON_CONTROL_PDC_REPLICATE:
case NETLOGON_CONTROL_BACKUP_CHANGE_LOG:
- case NETLOGON_CONTROL_TRUNCATE_LOG:
case NETLOGON_CONTROL_BREAKPOINT:
- return WERR_ACCESS_DENIED;
+ if (acct_ctrl & ACB_NORMAL) {
+ return WERR_NOT_SUPPORTED;
+ } else if (acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST)) {
+ return WERR_ACCESS_DENIED;
+ } else {
+ return WERR_ACCESS_DENIED;
+ }
+ case NETLOGON_CONTROL_TRUNCATE_LOG:
+ if (acct_ctrl & ACB_NORMAL) {
+ break;
+ } else if (acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST)) {
+ return WERR_ACCESS_DENIED;
+ } else {
+ return WERR_ACCESS_DENIED;
+ }
+
case NETLOGON_CONTROL_TRANSPORT_NOTIFY:
case NETLOGON_CONTROL_FORCE_DNS_REG:
case NETLOGON_CONTROL_QUERY_DNS_REG:
rpc="$rpc RPC-LSA-PRIVILEGES "
rpc="$rpc RPC-SAMR RPC-SAMR-USERS RPC-SAMR-USERS-PRIVILEGES RPC-SAMR-PASSWORDS"
rpc="$rpc RPC-SAMR-PASSWORDS-PWDLASTSET RPC-SAMR-LARGE-DC RPC-SAMR-MACHINE-AUTH"
-rpc="$rpc RPC-NETLOGON-S3 RPC-SCHANNEL RPC-SCHANNEL2 RPC-BENCH-SCHANNEL1 RPC-JOIN"
+rpc="$rpc RPC-NETLOGON-S3 RPC-NETLOGON-ADMIN"
+rpc="$rpc RPC-SCHANNEL RPC-SCHANNEL2 RPC-BENCH-SCHANNEL1 RPC-JOIN"
local="LOCAL-NSS-WRAPPER"