}
/*check if access can be granted as requested by client. */
- map_max_allowed_access(p->server_info->ptok,
+ map_max_allowed_access(p->server_info->security_token,
&p->server_info->utok,
&des_access);
* Users with SeAddUser get the ability to manipulate groups
* and aliases.
*/
- if (security_token_has_privilege(p->server_info->ptok, SEC_PRIV_ADD_USERS)) {
+ if (security_token_has_privilege(p->server_info->security_token, SEC_PRIV_ADD_USERS)) {
extra_access |= (SAMR_DOMAIN_ACCESS_CREATE_GROUP |
SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS |
SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT |
* SAMR_DOMAIN_ACCESS_CREATE_USER access.
*/
- status = access_check_object( psd, p->server_info->ptok,
+ status = access_check_object( psd, p->server_info->security_token,
SEC_PRIV_MACHINE_ACCOUNT, SEC_PRIV_ADD_USERS,
extra_access, des_access,
&acc_granted, "_samr_OpenDomain" );
return NT_STATUS_NO_SUCH_USER;
/* check if access can be granted as requested by client. */
- map_max_allowed_access(p->server_info->ptok,
+ map_max_allowed_access(p->server_info->security_token,
&p->server_info->utok,
&des_access);
* DOMAIN_RID_ADMINS.
*/
if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
- if (lp_enable_privileges() && nt_token_check_domain_rid(p->server_info->ptok,
+ if (lp_enable_privileges() && nt_token_check_domain_rid(p->server_info->security_token,
DOMAIN_RID_ADMINS)) {
des_access &= ~GENERIC_RIGHTS_USER_WRITE;
extra_access = GENERIC_RIGHTS_USER_WRITE;
TALLOC_FREE(sampass);
- nt_status = access_check_object(psd, p->server_info->ptok,
+ nt_status = access_check_object(psd, p->server_info->security_token,
needed_priv_1, needed_priv_2,
GENERIC_RIGHTS_USER_WRITE, des_access,
&acc_granted, "_samr_OpenUser");
can_add_account = true;
} else if (acb_info & ACB_WSTRUST) {
needed_priv = SEC_PRIV_MACHINE_ACCOUNT;
- can_add_account = security_token_has_privilege(p->server_info->ptok, SEC_PRIV_MACHINE_ACCOUNT);
+ can_add_account = security_token_has_privilege(p->server_info->security_token, SEC_PRIV_MACHINE_ACCOUNT);
} else if (acb_info & ACB_NORMAL &&
(account[strlen(account)-1] != '$')) {
/* usrmgr.exe (and net rpc trustdom grant) creates a normal user
account for domain trusts and changes the ACB flags later */
needed_priv = SEC_PRIV_ADD_USERS;
- can_add_account = security_token_has_privilege(p->server_info->ptok, SEC_PRIV_ADD_USERS);
+ can_add_account = security_token_has_privilege(p->server_info->security_token, SEC_PRIV_ADD_USERS);
} else if (lp_enable_privileges()) {
/* implicit assumption of a BDC or domain trust account here
* (we already check the flags earlier) */
/* only Domain Admins can add a BDC or domain trust */
can_add_account = nt_token_check_domain_rid(
- p->server_info->ptok,
+ p->server_info->security_token,
DOMAIN_RID_ADMINS );
}
sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
- map_max_allowed_access(p->server_info->ptok,
+ map_max_allowed_access(p->server_info->security_token,
&p->server_info->utok,
&des_access);
* just assume we have all the rights we need ?
*/
- nt_status = access_check_object(psd, p->server_info->ptok,
+ nt_status = access_check_object(psd, p->server_info->security_token,
needed_priv, SEC_PRIV_INVALID,
GENERIC_RIGHTS_USER_WRITE, des_access,
&acc_granted, "_samr_CreateUser2");
was observed from a win98 client trying to enumerate users (when configured
user level access control on shares) --jerry */
- map_max_allowed_access(p->server_info->ptok,
+ map_max_allowed_access(p->server_info->security_token,
&p->server_info->utok,
&des_access);
return NT_STATUS_ACCESS_DENIED;
}
- map_max_allowed_access(p->server_info->ptok,
+ map_max_allowed_access(p->server_info->security_token,
&p->server_info->utok,
&des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
se_map_generic(&des_access, &sam_generic_mapping);
- nt_status = access_check_object(psd, p->server_info->ptok,
+ nt_status = access_check_object(psd, p->server_info->security_token,
SEC_PRIV_INVALID, SEC_PRIV_INVALID,
0, des_access, &acc_granted, fn);
/*check if access can be granted as requested by client. */
- map_max_allowed_access(p->server_info->ptok,
+ map_max_allowed_access(p->server_info->security_token,
&p->server_info->utok,
&des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
se_map_generic(&des_access,&ali_generic_mapping);
- status = access_check_object(psd, p->server_info->ptok,
+ status = access_check_object(psd, p->server_info->security_token,
SEC_PRIV_ADD_USERS, SEC_PRIV_INVALID,
GENERIC_RIGHTS_ALIAS_ALL_ACCESS,
des_access, &acc_granted, "_samr_OpenAlias");
}
/*check if access can be granted as requested by client. */
- map_max_allowed_access(p->server_info->ptok,
+ map_max_allowed_access(p->server_info->security_token,
&p->server_info->utok,
&des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
se_map_generic(&des_access,&grp_generic_mapping);
- status = access_check_object(psd, p->server_info->ptok,
+ status = access_check_object(psd, p->server_info->security_token,
SEC_PRIV_ADD_USERS, SEC_PRIV_INVALID, GENERIC_RIGHTS_GROUP_ALL_ACCESS,
des_access, &acc_granted, "_samr_OpenGroup");
git.samba.org / amitay / samba.git / blobdiff