s3-samr: avoid enumeration and user creation on builtin domain handle.

author Günther Deschner <gd@samba.org>

Thu, 27 Nov 2008 00:21:49 +0000 (01:21 +0100)

committer Günther Deschner <gd@samba.org>

Thu, 27 Nov 2008 17:28:43 +0000 (18:28 +0100)
author Günther Deschner <gd@samba.org>
Thu, 27 Nov 2008 00:21:49 +0000 (01:21 +0100)
committer Günther Deschner <gd@samba.org>
Thu, 27 Nov 2008 17:28:43 +0000 (18:28 +0100)
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c

index 4b8fa67208aa67093a318e93faf08a819758da77..71eec0a59ca782da5414464b8d937fcd18d685ee 100644 (file)
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -1484,6 +1484,11 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
         if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
                 return NT_STATUS_INVALID_HANDLE;
  
         if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
                 return NT_STATUS_INVALID_HANDLE;
  
+       if (info->builtin_domain) {
+               DEBUG(5,("_samr_QueryDisplayInfo: Nothing in BUILTIN\n"));
+               return NT_STATUS_OK;
+       }
+
         status = access_check_samr_function(info->acc_granted,
                                             SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
                                             "_samr_QueryDisplayInfo");
         status = access_check_samr_function(info->acc_granted,
                                             SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
                                             "_samr_QueryDisplayInfo");
@@ -3281,6 +3286,11 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p,
                                      &disp_info))
                 return NT_STATUS_INVALID_HANDLE;
  
                                      &disp_info))
                 return NT_STATUS_INVALID_HANDLE;
  
+       if (disp_info->builtin_domain) {
+               DEBUG(5,("_samr_CreateUser2: Refusing user create in BUILTIN\n"));
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
         nt_status = access_check_samr_function(acc_granted,
                                                SAMR_DOMAIN_ACCESS_CREATE_USER,
                                                "_samr_CreateUser2");
         nt_status = access_check_samr_function(acc_granted,
                                                SAMR_DOMAIN_ACCESS_CREATE_USER,
                                                "_samr_CreateUser2");
author	Günther Deschner <gd@samba.org>
	Thu, 27 Nov 2008 00:21:49 +0000 (01:21 +0100)
committer	Günther Deschner <gd@samba.org>
	Thu, 27 Nov 2008 17:28:43 +0000 (18:28 +0100)