DOM_SID sid;
fstring privname;
UNISTR2_ARRAY *uni_privnames = &q_u->rights;
+ struct current_user user;
/* find the connection policy handle. */
/* check to see if the pipe_user is a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
- if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ get_current_user( &user, p );
+ if ( user.uid != sec_initial_uid()
+ && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ {
return NT_STATUS_ACCESS_DENIED;
+ }
/* according to an NT4 PDC, you can add privileges to SIDs even without
call_lsa_create_account() first. And you can use any arbitrary SID. */
DOM_SID sid;
fstring privname;
UNISTR2_ARRAY *uni_privnames = &q_u->rights;
+ struct current_user user;
/* find the connection policy handle. */
/* check to see if the pipe_user is a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
- if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ get_current_user( &user, p );
+ if ( user.uid != sec_initial_uid()
+ && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ {
return NT_STATUS_ACCESS_DENIED;
+ }
sid_copy( &sid, &q_u->sid.sid );