r4874: add DOmain Admins (Full Control) to the default printer sd if we are a DC

diff --git a/source/printing/nt_printing.c b/source/printing/nt_printing.c
index d22ec935a39cc737990614784aad31879581487a..d5cf58f54d81edc88e3988ca285cc140994828dd 100644 (file)
--- a/source/printing/nt_printing.c
+++ b/source/printing/nt_printing.c
@@ -4806,7 +4806,8 @@ WERROR nt_printing_setsec(const char *printername, SEC_DESC_BUF *secdesc_ctr)
 
 static SEC_DESC_BUF *construct_default_printer_sdb(TALLOC_CTX *ctx)
 {
-       SEC_ACE ace[3];
+       SEC_ACE ace[5]; /* max number of ace entries */
+       int i = 0;
        SEC_ACCESS sa;
        SEC_ACL *psa = NULL;
        SEC_DESC_BUF *sdb = NULL;
@@ -4817,7 +4818,7 @@ static SEC_DESC_BUF *construct_default_printer_sdb(TALLOC_CTX *ctx)
        /* Create an ACE where Everyone is allowed to print */
 
        init_sec_access(&sa, PRINTER_ACE_PRINT);
-       init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
+       init_sec_ace(&ace[i++], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED,
                     sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
 
        /* Make the security descriptor owned by the Administrators group
@@ -4836,20 +4837,38 @@ static SEC_DESC_BUF *construct_default_printer_sdb(TALLOC_CTX *ctx)
        }
 
        init_sec_access(&sa, PRINTER_ACE_FULL_CONTROL);
-       init_sec_ace(&ace[1], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
+       init_sec_ace(&ace[i++], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
                     sa, SEC_ACE_FLAG_OBJECT_INHERIT |
                     SEC_ACE_FLAG_INHERIT_ONLY);
 
        init_sec_access(&sa, PRINTER_ACE_FULL_CONTROL);
-       init_sec_ace(&ace[2], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
+       init_sec_ace(&ace[i++], &owner_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
                     sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
 
+       /* Add the domain admins group if we are a DC */
+       
+       if ( IS_DC ) {
+               DOM_SID domadmins_sid;
+               
+               sid_copy(&domadmins_sid, get_global_sam_sid());
+               sid_append_rid(&domadmins_sid, DOMAIN_GROUP_RID_ADMINS);
+               
+               init_sec_access(&sa, PRINTER_ACE_FULL_CONTROL);
+               init_sec_ace(&ace[i++], &domadmins_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
+                            sa, SEC_ACE_FLAG_OBJECT_INHERIT |
+                            SEC_ACE_FLAG_INHERIT_ONLY);
+
+               init_sec_access(&sa, PRINTER_ACE_FULL_CONTROL);
+               init_sec_ace(&ace[i++], &domadmins_sid, SEC_ACE_TYPE_ACCESS_ALLOWED,
+                            sa, SEC_ACE_FLAG_CONTAINER_INHERIT);
+       }
+                    
        /* The ACL revision number in rpc_secdesc.h differs from the one
           created by NT when setting ACE entries in printer
           descriptors.  NT4 complains about the property being edited by a
           NT5 machine. */
 
-       if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 3, ace)) != NULL) {
+       if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, i, ace)) != NULL) {
                psd = make_sec_desc(ctx, SEC_DESC_REVISION, SEC_DESC_SELF_RELATIVE,
                                    &owner_sid, NULL,
                                    NULL, psa, &sd_size);