s3-lsa: start a very basic implementation of _lsa_DeleteObject().
authorGünther Deschner <gd@samba.org>
Mon, 18 May 2009 19:00:29 +0000 (21:00 +0200)
committerGünther Deschner <gd@samba.org>
Mon, 18 May 2009 20:58:31 +0000 (22:58 +0200)
Certainly not the full story but this gets us closer to pass the
RPC-SAMR-USERS-PRIVILEGES test.

Guenther

source3/rpc_server/srv_lsa_nt.c

index fb5117cdd3b18b09df96b8ab5e24a221a5993e6f..7cddb5cb85aa17b9fe05bdff7a4bfe5b01b48a23 100644 (file)
@@ -1290,7 +1290,29 @@ NTSTATUS _lsa_SetSecret(pipes_struct *p, struct lsa_SetSecret *r)
 NTSTATUS _lsa_DeleteObject(pipes_struct *p,
                           struct lsa_DeleteObject *r)
 {
-       return NT_STATUS_ACCESS_DENIED;
+       NTSTATUS status;
+       struct lsa_info *info = NULL;
+
+       if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info)) {
+               return NT_STATUS_INVALID_HANDLE;
+       }
+
+       /* check to see if the pipe_user is root or a Domain Admin since
+          account_pol.tdb was already opened as root, this is all we have */
+
+       if (p->server_info->utok.uid != sec_initial_uid() &&
+           !nt_token_check_domain_rid(p->server_info->ptok,
+                                      DOMAIN_GROUP_RID_ADMINS)) {
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
+       status = privilege_delete_account(&info->sid);
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(10,("_lsa_DeleteObject: privilege_delete_account gave: %s\n",
+                       nt_errstr(status)));
+       }
+
+       return status;
 }
 
 /***************************************************************************