NTSTATUS status = NT_STATUS_ACCESS_DENIED;
if (!se_access_check(psd, nt_user_token, des_access, acc_granted, &status)) {
+ *acc_granted = des_access;
if (geteuid() == sec_initial_uid()) {
DEBUG(4,("%s: ACCESS should be DENIED (requested: %#010x)\n",
debug, des_access));
DEBUG(10,("load_group_domain_entries: already in memory\n"));
return NT_STATUS_OK;
}
+
+
+ become_root();
if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV)) {
DEBUG(1, ("load_group_domain_entries: pdb_enum_group_mapping() failed!\n"));
return NT_STATUS_NO_MEMORY;
}
+
+ unbecome_root();
info->disp_info.num_group_account=group_entries;
/* Get what we need from the password database */
switch (q_u->switch_level) {
case 0x1:
+ /* When playing with usrmgr, this is necessary
+ if you want immediate refresh after editing
+ a user. I would like to do this after the
+ setuserinfo2, but we do not have access to
+ the domain handle in that call, only to the
+ user handle. Where else does this hurt?
+ -- Volker
+ */
+#if 0
+ /* We cannot do this here - it kills performace. JRA. */
+ free_samr_users(info);
+#endif
case 0x2:
case 0x4:
become_root();
* is case insensitive.
*/
- if (!pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash,
- q_u->nt_newpass.pass, q_u->nt_oldhash.hash))
- r_u->status = NT_STATUS_WRONG_PASSWORD;
+ r_u->status = pass_oem_change(user_name, q_u->lm_newpass.pass, q_u->lm_oldhash.hash,
+ q_u->nt_newpass.pass, q_u->nt_oldhash.hash);
init_samr_r_chgpasswd_user(r_u, r_u->status);
uint32 acc_granted;
SEC_DESC *psd;
size_t sd_size;
- uint32 des_access;
+ /* check this, when giving away 'add computer to domain' privs */
+ uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
/* Get the domain SID stored in the domain policy */
if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted))
pw = getpwnam_alloc(account);
if (pw) {
- if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sam_pass, pw))) {
- passwd_free(&pw);
+ nt_status = pdb_init_sam_pw(&sam_pass, pw);
+ passwd_free(&pw); /* done with this now */
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ pdb_free_sam(&sam_pass);
return nt_status;
}
- passwd_free(&pw); /* done with this now */
} else {
DEBUG(3,("attempting to create non-unix account %s\n", account));
account));
return NT_STATUS_ACCESS_DENIED;
}
-
- pdb_reset_sam(sam_pass);
-
- if (!pdb_getsampwnam(sam_pass, account)) {
- pdb_free_sam(&sam_pass);
- DEBUG(0, ("could not find user/computer %s just added to passdb?!?\n",
- account));
- return NT_STATUS_ACCESS_DENIED;
- }
/* Get the user's SID */
sid_copy(&sid, pdb_get_user_sid(sam_pass));
fstrcpy(grp_name, grp->gr_name);
/* if the user is already in the group */
- if(user_in_group_list(pwd->pw_name, grp_name)) {
+ if(user_in_unix_group_list(pwd->pw_name, grp_name)) {
passwd_free(&pwd);
return NT_STATUS_MEMBER_IN_ALIAS;
}
smb_add_user_group(grp_name, pwd->pw_name);
/* check if the user has been added then ... */
- if(!user_in_group_list(pwd->pw_name, grp_name)) {
+ if(!user_in_unix_group_list(pwd->pw_name, grp_name)) {
passwd_free(&pwd);
return NT_STATUS_MEMBER_NOT_IN_ALIAS; /* don't know what to reply else */
}
if ((grp=getgrgid(map.gid)) == NULL)
return NT_STATUS_NO_SUCH_ALIAS;
- /* we need to copy the name otherwise it's overloaded in user_in_group_list */
+ /* we need to copy the name otherwise it's overloaded in user_in_unix_group_list */
fstrcpy(grp_name, grp->gr_name);
/* check if the user exists before trying to remove it from the group */
}
/* if the user is not in the group */
- if(!user_in_group_list(pdb_get_username(sam_pass), grp_name)) {
+ if(!user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
pdb_free_sam(&sam_pass);
return NT_STATUS_MEMBER_IN_ALIAS;
}
smb_delete_user_group(grp_name, pdb_get_username(sam_pass));
/* check if the user has been removed then ... */
- if(user_in_group_list(pdb_get_username(sam_pass), grp_name)) {
+ if(user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
pdb_free_sam(&sam_pass);
return NT_STATUS_MEMBER_NOT_IN_ALIAS; /* don't know what to reply else */
}
return NT_STATUS_NO_SUCH_GROUP;
}
- /* we need to copy the name otherwise it's overloaded in user_in_group_list */
+ /* we need to copy the name otherwise it's overloaded in user_in_unix_group_list */
fstrcpy(grp_name, grp->gr_name);
/* if the user is already in the group */
- if(user_in_group_list(pwd->pw_name, grp_name)) {
+ if(user_in_unix_group_list(pwd->pw_name, grp_name)) {
passwd_free(&pwd);
return NT_STATUS_MEMBER_IN_GROUP;
}
smb_add_user_group(grp_name, pwd->pw_name);
/* check if the user has been added then ... */
- if(!user_in_group_list(pwd->pw_name, grp_name)) {
+ if(!user_in_unix_group_list(pwd->pw_name, grp_name)) {
passwd_free(&pwd);
return NT_STATUS_MEMBER_NOT_IN_GROUP; /* don't know what to reply else */
}
}
/* if the user is not in the group */
- if (!user_in_group_list(pdb_get_username(sam_pass), grp_name)) {
+ if (!user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
pdb_free_sam(&sam_pass);
return NT_STATUS_MEMBER_NOT_IN_GROUP;
}
smb_delete_user_group(grp_name, pdb_get_username(sam_pass));
/* check if the user has been removed then ... */
- if (user_in_group_list(pdb_get_username(sam_pass), grp_name)) {
+ if (user_in_unix_group_list(pdb_get_username(sam_pass), grp_name)) {
pdb_free_sam(&sam_pass);
return NT_STATUS_ACCESS_DENIED; /* don't know what to reply else */
}
git.samba.org / ira / wip.git / blobdiff