r13778: When deleting machine accounts it's the SeMachineAccountPrivilege

author Jeremy Allison <jra@samba.org>

Wed, 1 Mar 2006 21:56:59 +0000 (21:56 +0000)

committer Gerald (Jerry) Carter <jerry@samba.org>

Wed, 10 Oct 2007 16:10:53 +0000 (11:10 -0500)
author Jeremy Allison <jra@samba.org>
Wed, 1 Mar 2006 21:56:59 +0000 (21:56 +0000)
committer Gerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 16:10:53 +0000 (11:10 -0500)
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c

index de6c28a38dbbb45e93b31a53c49d1ad56b031ca0..e4dc92c08d4dd351ef1fff43820b77119bc54970 100644 (file)
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -3933,6 +3933,7 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM
         struct samu *sam_pass=NULL;
         uint32 acc_granted;
         BOOL can_add_accounts;
+       uint32 acb_info;
         DISP_INFO *disp_info = NULL;
  
         DEBUG(5, ("_samr_delete_dom_user: %d\n", __LINE__));
@@ -3960,7 +3961,14 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM
                 return NT_STATUS_NO_SUCH_USER;
         }
         
-       can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
+       acb_info = pdb_get_acct_ctrl(sam_pass);
+
+       /* For machine accounts it's the SeMachineAccountPrivilege that counts. */
+       if ( acb_info & ACB_WSTRUST ) {
+               can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_machine_account );
+       } else {
+               can_add_accounts = user_has_privileges( p->pipe_user.nt_user_token, &se_add_users );
+       } 
  
         /******** BEGIN SeAddUsers BLOCK *********/
author	Jeremy Allison <jra@samba.org>
	Wed, 1 Mar 2006 21:56:59 +0000 (21:56 +0000)
committer	Gerald (Jerry) Carter <jerry@samba.org>
	Wed, 10 Oct 2007 16:10:53 +0000 (11:10 -0500)