structure returned from domain controllers.
-Administrator Domain SID
-------------------------
-
-Please note that when configured as a DC, it is now required
-that an account in the server's passdb backend be set to the
-domain SID of the default Administrator account. To obtain the
-domain SID on a Samba DC, run the following command:
-
-root# net getlocalsid
-SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299
-
-You may then assign the Domain Administrator rid to an account
-via pdbedit:
-
-root# pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 \
--u root -r
-
-
-
######################################################################
Changes
#######
Changes since 3.0.11pre2
------------------------
+smb.conf changes
+----------------
+
+ Parameter Name Action
+ -------------- ------
+ winbind enable local accounts Deprecated
+
+
commits
-------
o Jeremy Allison <jra@samba.org>
* Fix segfault in cups_queue_get().
* Tighten restrictions on changing user passwords when
the connected user possesses the SeMachineAccountPrivilege.
-
+ * Ensure we set NETBIOSNAME.domainname for the long machine name
+ when publishing printers in AD (based on input from Rob Foehl).
+ * Mark 'winbind enable local accounts' as deprecated.
+ * Mark testprns tool as deprecated.
+ * Allow root to grant/revoke privilege assignments.
+ * Correct interaction between user rights and se_access_check() on
+ SAMR objects.
+
o Guenther Deschner <gd@samba.org>
* Fix configure.in tests using KRB5_CONFIG variable and krb5-
config utility.
* Require assignment of Administrator SID in the passdb
- backend. No longer default to 'root' or 'admin users' list.
+ backend. Fall back to the default name of 'Administrator' if
+ the lookup fails rather than using the first name in the
+ default 'admin users' list.
* Enhance LDAP failure debug messages.
If "ldap user suffix" or "ldap machine suffix" are defined in
smb.conf, all user-accounts must reside below the user suffix,
-and all machine trust-accounts must be located below the machine
-suffix.
+and all machine and inter-domain trust-accounts must be located
+below the machine suffix. Previous Samba releases would fall
+back to searching the 'ldap suffix' in some cases.
Privilege Model
These rights can be assigned to arbitrary users or groups
via the 'net rpc rights grant/revoke' command. More details
-of Samba's privilege implementation will be available in a
-forthcoming HOWTO.
+of Samba's privilege implementation can be found in the
+Samba-HOWTO-Collection.
######################################################################
* Fixes for libsmbclient to ensure that interrupted system calls
are restarted minus the already expired portion of the timeout
(based on work by Derrell Lipman).
- * More unicode string parsing fixes.
+ * More Unicode string parsing fixes.
* Convert the winreg pipe to use WERROR returns.
* Make all LDAP timeouts consistent (input from Joe Meadows
<jameadows@webopolis.com>).
POLICY_VIEW_AUDIT_INFORMATION |\
POLICY_GET_PRIVATE_INFORMATION)
-#define POLICY_WRITE ( STANDARD_RIGHTS_WRITE_ACCESS |\
+#define POLICY_WRITE ( STD_RIGHT_READ_CONTROL_ACCESS |\
POLICY_TRUST_ADMIN |\
POLICY_CREATE_ACCOUNT |\
POLICY_CREATE_SECRET |\
#define STANDARD_RIGHTS_ALL_ACCESS STD_RIGHT_ALL_ACCESS /* 0x001f0000 */
#define STANDARD_RIGHTS_EXECUTE_ACCESS STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */
#define STANDARD_RIGHTS_READ_ACCESS STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */
-#define STANDARD_RIGHTS_WRITE_ACCESS STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */
+#define STANDARD_RIGHTS_WRITE_ACCESS \
+ (STD_RIGHT_WRITE_OWNER_ACCESS | \
+ STD_RIGHT_WRITE_DAC_ACCESS | \
+ STD_RIGHT_DELETE_ACCESS) /* 0x000d0000 */
#define STANDARD_RIGHTS_REQUIRED_ACCESS \
(STD_RIGHT_DELETE_ACCESS | \
STD_RIGHT_READ_CONTROL_ACCESS | \
#define FILE_GENERIC_READ (STANDARD_RIGHTS_READ_ACCESS|FILE_READ_DATA|FILE_READ_ATTRIBUTES|\
FILE_READ_EA|SYNCHRONIZE_ACCESS)
-#define FILE_GENERIC_WRITE (STANDARD_RIGHTS_WRITE_ACCESS|FILE_WRITE_DATA|FILE_WRITE_ATTRIBUTES|\
+#define FILE_GENERIC_WRITE (STD_RIGHT_READ_CONTROL_ACCESS|FILE_WRITE_DATA|FILE_WRITE_ATTRIBUTES|\
FILE_WRITE_EA|FILE_APPEND_DATA|SYNCHRONIZE_ACCESS)
#define FILE_GENERIC_EXECUTE (STANDARD_RIGHTS_EXECUTE_ACCESS|\
{"template shell", P_STRING, P_GLOBAL, &Globals.szTemplateShell, NULL, NULL, FLAG_ADVANCED},
{"winbind separator", P_STRING, P_GLOBAL, &Globals.szWinbindSeparator, NULL, NULL, FLAG_ADVANCED},
{"winbind cache time", P_INTEGER, P_GLOBAL, &Globals.winbind_cache_time, NULL, NULL, FLAG_ADVANCED},
- {"winbind enable local accounts", P_BOOL, P_GLOBAL, &Globals.bWinbindEnableLocalAccounts, NULL, NULL, FLAG_ADVANCED},
+ {"winbind enable local accounts", P_BOOL, P_GLOBAL, &Globals.bWinbindEnableLocalAccounts, NULL, NULL, FLAG_ADVANCED|FLAG_DEPRECATED},
{"winbind enum users", P_BOOL, P_GLOBAL, &Globals.bWinbindEnumUsers, NULL, NULL, FLAG_ADVANCED},
{"winbind enum groups", P_BOOL, P_GLOBAL, &Globals.bWinbindEnumGroups, NULL, NULL, FLAG_ADVANCED},
{"winbind use default domain", P_BOOL, P_GLOBAL, &Globals.bWinbindUseDefaultDomain, NULL, NULL, FLAG_ADVANCED},
return True;
}
+ if (rid == DOMAIN_USER_RID_ADMIN) {
+ *psid_name_use = SID_NAME_USER;
+ fstrcpy(name, "Administrator");
+ return True;
+ }
+
if (algorithmic_pdb_rid_is_user(rid)) {
uid_t uid;
struct passwd *pw = NULL;
struct lsa_info *info = NULL;
SE_PRIV mask;
PRIVILEGE_SET *set = NULL;
+ struct current_user user;
/* find the connection policy handle. */
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
return NT_STATUS_INVALID_HANDLE;
- /* check to see if the pipe_user is a Domain Admin since
+ /* check to see if the pipe_user is root or a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
-
- if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+
+ get_current_user( &user, p );
+ if ( user.uid != sec_initial_uid()
+ && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ {
return NT_STATUS_ACCESS_DENIED;
+ }
set = &q_u->set;
struct lsa_info *info = NULL;
SE_PRIV mask;
PRIVILEGE_SET *set = NULL;
+ struct current_user user;
/* find the connection policy handle. */
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
return NT_STATUS_INVALID_HANDLE;
- /* check to see if the pipe_user is a Domain Admin since
+ /* check to see if the pipe_user is root or a Domain Admin since
account_pol.tdb was already opened as root, this is all we have */
-
- if ( !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+
+ get_current_user( &user, p );
+ if ( user.uid != sec_initial_uid()
+ && !nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS ) )
+ {
return NT_STATUS_ACCESS_DENIED;
+ }
set = &q_u->set;
saved_mask = (des_access & rights_mask);
des_access &= ~saved_mask;
- DEBUG(4,("access_check_samr_object: user rights saved access mask [0x%x]\n",
- saved_mask));
+ DEBUG(4,("access_check_samr_object: user rights access mask [0x%x]\n",
+ rights_mask));
}
done:
/* add in any bits saved during the privilege check (only
- matters is syayus is ok) */
+ matters is status is ok) */
- *acc_granted |= saved_mask;
+ *acc_granted |= rights_mask;
DEBUG(4,("%s: access %s (requested: 0x%08x, granted: 0x%08x)\n",
debug, NT_STATUS_IS_OK(status) ? "GRANTED" : "DENIED",
{
setup_logging(argv[0],True);
+ printf("NOTICE: This program is now deprecated and will be removed \n");
+ printf("in a future Samba release.\n\n");
+
if (argc != 2)
printf("Usage: testprns printername\n");
else