The branch, v3-5-test has been updated
via a5af824... s3-passdb: move open_schannel_session_store() to
passdb/secrets_schannel.c.
via 50b1a41... s3-net: acct_flags are uint32_t in
net_sam_set_userflag().
via ed9df48... adssearch: dump some more nttime timestamps.
via d8f6db0... s3-lsa: add lsa_trusted_domain_mapping.
via 6e3444c... lsa: add LSA_TRUSTED_DOMAIN access masks.
via 87c1eb2... s3-passdb: add secrets_delete_generic().
via cebefbe... s3-lsa: add lsa_secret_mapping.
via c765a61... lsa: add LSA_SECRET access masks.
via cd3b6ee... s3-lsa: use correct function name
in_lsa_RemoveAccountRights().
via 70e65d3... s3-lsa: pure cosmetic indentation fixes.
via 48e7b9e... s3-lsa: use enum lsa_LookupNamesLevel in
lsa_lookup_level_to_flags().
from 4b69d99... Fix map readonly in smb.conf, it is a single word
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test
- Log -----------------------------------------------------------------
commit a5af824b953a7446ac7ce2e0efc18f0e1ca538bd
Author: Günther Deschner <g...@samba.org>
Date: Wed Oct 28 11:36:13 2009 +0100
s3-passdb: move open_schannel_session_store() to passdb/secrets_schannel.c.
Guenther
commit 50b1a41bc19c6ca8a9364fe5a95e8bd6ba4f9894
Author: Günther Deschner <g...@samba.org>
Date: Wed Oct 28 10:56:01 2009 +0100
s3-net: acct_flags are uint32_t in net_sam_set_userflag().
Guenther
commit ed9df48953fc3877013e2cf09bc782fce36ea825
Author: Günther Deschner <g...@samba.org>
Date: Wed Oct 28 10:55:14 2009 +0100
adssearch: dump some more nttime timestamps.
Guenther
commit d8f6db0626c6a7e404e98fa708cd29d55ec9e381
Author: Günther Deschner <g...@samba.org>
Date: Tue Oct 27 15:29:02 2009 +0100
s3-lsa: add lsa_trusted_domain_mapping.
Guenther
commit 6e3444cc8b5c1989c3076f7656289b6226222e45
Author: Günther Deschner <g...@samba.org>
Date: Tue Oct 27 15:28:06 2009 +0100
lsa: add LSA_TRUSTED_DOMAIN access masks.
Guenther
commit 87c1eb24a5d63bdb53b7400d111ff13fb4d35c48
Author: Günther Deschner <g...@samba.org>
Date: Tue Oct 27 14:59:25 2009 +0100
s3-passdb: add secrets_delete_generic().
Guenther
commit cebefbeaeec5acf646964c52862e8337719fafb1
Author: Günther Deschner <g...@samba.org>
Date: Tue Oct 27 13:50:43 2009 +0100
s3-lsa: add lsa_secret_mapping.
Guenther
commit c765a61bbff44666d78f80ec2ce87a58f32bd034
Author: Günther Deschner <g...@samba.org>
Date: Tue Oct 27 13:49:21 2009 +0100
lsa: add LSA_SECRET access masks.
Guenther
commit cd3b6eead757434d32535107746713d9631c15be
Author: Günther Deschner <g...@samba.org>
Date: Mon Oct 26 23:47:01 2009 +0100
s3-lsa: use correct function name in_lsa_RemoveAccountRights().
Guenther
commit 70e65d3c947b261f1d26d95b620627237a3c4fe2
Author: Günther Deschner <g...@samba.org>
Date: Mon Oct 26 23:37:21 2009 +0100
s3-lsa: pure cosmetic indentation fixes.
Guenther
commit 48e7b9e2c0ef95b9e3fbf439ad68ff412c156ebd
Author: Günther Deschner <g...@samba.org>
Date: Mon Oct 26 23:28:30 2009 +0100
s3-lsa: use enum lsa_LookupNamesLevel in lsa_lookup_level_to_flags().
Guenther
-----------------------------------------------------------------------
Summary of changes:
examples/misc/adssearch.pl | 2 +
librpc/gen_ndr/lsa.h | 8 ++++
librpc/idl/lsa.idl | 48 +++++++++++++++++++++++++
source3/include/proto.h | 3 +-
source3/passdb/secrets.c | 69 ++++++-------------------------------
source3/passdb/secrets_schannel.c | 63 +++++++++++++++++++++++++++++++++
source3/rpc_server/srv_lsa_nt.c | 63 ++++++++++++++++++++-------------
source3/utils/net_sam.c | 2 +-
8 files changed, 173 insertions(+), 85 deletions(-)
Changeset truncated at 500 lines:
diff --git a/examples/misc/adssearch.pl b/examples/misc/adssearch.pl
index 026853d..13a85be 100755
--- a/examples/misc/adssearch.pl
+++ b/examples/misc/adssearch.pl
@@ -518,6 +518,7 @@ my %attr_handler = (
"instanceType" => \&dump_instance_type,
"lastLogon" => \&dump_nttime,
"lastLogonTimestamp" => \&dump_nttime,
+ "lastSetTime" => \&dump_nttime,
"lockOutObservationWindow" => \&dump_nttime_abs,
"lockoutDuration" => \&dump_nttime_abs,
"lockoutTime" => \&dump_nttime,
@@ -538,6 +539,7 @@ my %attr_handler = (
"objectSid" => \&dump_sid,
"pKT" => \&dump_pkt,
"pKTGuid" => \&dump_guid,
+ "priorSetTime" => \&dump_nttime,
"pwdLastSet" => \&dump_nttime,
"pwdProperties" => \&dump_pwdproperties,
"sAMAccountType" => \&dump_atype,
diff --git a/librpc/gen_ndr/lsa.h b/librpc/gen_ndr/lsa.h
index f101fb6..a0af571 100644
--- a/librpc/gen_ndr/lsa.h
+++ b/librpc/gen_ndr/lsa.h
@@ -17,6 +17,14 @@
#define LSA_ACCOUNT_READ (
(STANDARD_RIGHTS_READ_ACCESS|LSA_ACCOUNT_VIEW) )
#define LSA_ACCOUNT_WRITE (
(STANDARD_RIGHTS_READ_ACCESS|LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_QUOTAS|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS)
)
#define LSA_ACCOUNT_EXECUTE ( (STANDARD_RIGHTS_EXECUTE_ACCESS) )
+#define LSA_SECRET_ALL_ACCESS (
(LSA_SECRET_QUERY_VALUE|LSA_SECRET_SET_VALUE|SEC_STD_DELETE|STANDARD_RIGHTS_READ_ACCESS|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER)
)
+#define LSA_SECRET_READ (
(LSA_SECRET_QUERY_VALUE|STANDARD_RIGHTS_READ_ACCESS) )
+#define LSA_SECRET_WRITE (
(LSA_SECRET_SET_VALUE|STANDARD_RIGHTS_READ_ACCESS) )
+#define LSA_SECRET_EXECUTE ( (STANDARD_RIGHTS_READ_ACCESS) )
+#define LSA_TRUSTED_DOMAIN_ALL_ACCESS (
(LSA_TRUSTED_QUERY_DOMAIN_NAME|LSA_TRUSTED_QUERY_CONTROLLERS|LSA_TRUSTED_SET_CONTROLLERS|LSA_TRUSTED_QUERY_POSIX|LSA_TRUSTED_SET_POSIX|LSA_TRUSTED_SET_AUTH|LSA_TRUSTED_QUERY_AUTH|SEC_STD_DELETE|STANDARD_RIGHTS_READ_ACCESS|SEC_STD_WRITE_DAC|SEC_STD_WRITE_OWNER)
)
+#define LSA_TRUSTED_DOMAIN_READ (
(LSA_TRUSTED_QUERY_DOMAIN_NAME|STANDARD_RIGHTS_READ_ACCESS) )
+#define LSA_TRUSTED_DOMAIN_WRITE (
(LSA_TRUSTED_SET_CONTROLLERS|LSA_TRUSTED_SET_POSIX|LSA_TRUSTED_SET_AUTH|STANDARD_RIGHTS_READ_ACCESS)
)
+#define LSA_TRUSTED_DOMAIN_EXECUTE (
(LSA_TRUSTED_QUERY_DOMAIN_NAME|LSA_TRUSTED_QUERY_POSIX|STANDARD_RIGHTS_READ_ACCESS)
)
#define LSA_ENUM_TRUST_DOMAIN_MULTIPLIER ( 60 )
#define LSA_REF_DOMAIN_LIST_MULTIPLIER ( 32 )
#define LSA_ENUM_TRUST_DOMAIN_EX_MULTIPLIER ( 82 )
diff --git a/librpc/idl/lsa.idl b/librpc/idl/lsa.idl
index 253b6d7..097dda5 100644
--- a/librpc/idl/lsa.idl
+++ b/librpc/idl/lsa.idl
@@ -213,6 +213,25 @@ import "misc.idl", "security.idl";
LSA_SECRET_QUERY_VALUE = 0x00000002
} lsa_SecretAccessMask;
+ const int LSA_SECRET_ALL_ACCESS =
+ (LSA_SECRET_QUERY_VALUE |
+ LSA_SECRET_SET_VALUE |
+ SEC_STD_DELETE |
+ STANDARD_RIGHTS_READ_ACCESS |
+ SEC_STD_WRITE_DAC |
+ SEC_STD_WRITE_OWNER); /* 0x000F0003 */
+
+ const int LSA_SECRET_READ =
+ (LSA_SECRET_QUERY_VALUE |
+ STANDARD_RIGHTS_READ_ACCESS); /* 0x00020002 */
+
+ const int LSA_SECRET_WRITE =
+ (LSA_SECRET_SET_VALUE |
+ STANDARD_RIGHTS_READ_ACCESS); /* 0x00020001 */
+
+ const int LSA_SECRET_EXECUTE =
+ (STANDARD_RIGHTS_READ_ACCESS); /* 0x00020000 */
+
typedef [public,bitmap32bit] bitmap {
LSA_TRUSTED_QUERY_DOMAIN_NAME = 0x00000001,
LSA_TRUSTED_QUERY_CONTROLLERS = 0x00000002,
@@ -223,6 +242,35 @@ import "misc.idl", "security.idl";
LSA_TRUSTED_QUERY_AUTH = 0x00000040
} lsa_TrustedAccessMask;
+ const int LSA_TRUSTED_DOMAIN_ALL_ACCESS =
+ (LSA_TRUSTED_QUERY_DOMAIN_NAME |
+ LSA_TRUSTED_QUERY_CONTROLLERS |
+ LSA_TRUSTED_SET_CONTROLLERS |
+ LSA_TRUSTED_QUERY_POSIX |
+ LSA_TRUSTED_SET_POSIX |
+ LSA_TRUSTED_SET_AUTH |
+ LSA_TRUSTED_QUERY_AUTH |
+ SEC_STD_DELETE |
+ STANDARD_RIGHTS_READ_ACCESS |
+ SEC_STD_WRITE_DAC |
+ SEC_STD_WRITE_OWNER); /* 0x000F007F */
+
+ const int LSA_TRUSTED_DOMAIN_READ =
+ (LSA_TRUSTED_QUERY_DOMAIN_NAME |
+ STANDARD_RIGHTS_READ_ACCESS); /* 0x00020001 */
+
+ const int LSA_TRUSTED_DOMAIN_WRITE =
+ (LSA_TRUSTED_SET_CONTROLLERS |
+ LSA_TRUSTED_SET_POSIX |
+ LSA_TRUSTED_SET_AUTH |
+ STANDARD_RIGHTS_READ_ACCESS); /* 0x00020034 */
+
+ const int LSA_TRUSTED_DOMAIN_EXECUTE =
+ (LSA_TRUSTED_QUERY_DOMAIN_NAME |
+ LSA_TRUSTED_QUERY_POSIX |
+ STANDARD_RIGHTS_READ_ACCESS); /* 0x0002000C */
+
+
/* notice the screwup with the system_name - thats why MS created
OpenPolicy2 */
[public] NTSTATUS lsa_OpenPolicy (
diff --git a/source3/include/proto.h b/source3/include/proto.h
index b79ced7..c863d55 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -4718,14 +4718,15 @@ NTSTATUS secrets_trusted_domains(TALLOC_CTX *mem_ctx,
uint32 *num_domains,
bool secrets_store_afs_keyfile(const char *cell, const struct afs_keyfile
*keyfile);
bool secrets_fetch_afs_key(const char *cell, struct afs_key *result);
void secrets_fetch_ipc_userpass(char **username, char **domain, char
**password);
-TDB_CONTEXT *open_schannel_session_store(TALLOC_CTX *mem_ctx);
bool secrets_store_generic(const char *owner, const char *key, const char
*secret);
char *secrets_fetch_generic(const char *owner, const char *key);
+bool secrets_delete_generic(const char *owner, const char *key);
bool secrets_store_local_schannel_key(uint8_t schannel_key[16]);
bool secrets_fetch_local_schannel_key(uint8_t schannel_key[16]);
/* The following definitions come from passdb/secrets_schannel.c */
+TDB_CONTEXT *open_schannel_session_store(TALLOC_CTX *mem_ctx);
NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx,
const char *computer_name,
struct netlogon_creds_CredentialState
**pcreds);
diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
index 29e0662..369abf8 100644
--- a/source3/passdb/secrets.c
+++ b/source3/passdb/secrets.c
@@ -1132,70 +1132,23 @@ void secrets_fetch_ipc_userpass(char **username, char
**domain, char **password)
}
}
-/******************************************************************************
- Open or create the schannel session store tdb.
-*******************************************************************************/
-
-#define SCHANNEL_STORE_VERSION_1 1
-#define SCHANNEL_STORE_VERSION_2 2 /* should not be used */
-#define SCHANNEL_STORE_VERSION_CURRENT SCHANNEL_STORE_VERSION_1
-
-TDB_CONTEXT *open_schannel_session_store(TALLOC_CTX *mem_ctx)
+bool secrets_store_generic(const char *owner, const char *key, const char
*secret)
{
- TDB_DATA vers;
- uint32 ver;
- TDB_CONTEXT *tdb_sc = NULL;
- char *fname = talloc_asprintf(mem_ctx, "%s/schannel_store.tdb",
lp_private_dir());
-
- if (!fname) {
- return NULL;
- }
-
- tdb_sc = tdb_open_log(fname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
+ char *tdbkey = NULL;
+ bool ret;
- if (!tdb_sc) {
- DEBUG(0,("open_schannel_session_store: Failed to open %s\n",
fname));
- TALLOC_FREE(fname);
- return NULL;
- }
-
- again:
- vers = tdb_fetch_bystring(tdb_sc, "SCHANNEL_STORE_VERSION");
- if (vers.dptr == NULL) {
- /* First opener, no version. */
- SIVAL(&ver,0,SCHANNEL_STORE_VERSION_CURRENT);
- vers.dptr = (uint8 *)&ver;
- vers.dsize = 4;
- tdb_store_bystring(tdb_sc, "SCHANNEL_STORE_VERSION", vers,
TDB_REPLACE);
- vers.dptr = NULL;
- } else if (vers.dsize == 4) {
- ver = IVAL(vers.dptr,0);
- if (ver == SCHANNEL_STORE_VERSION_2) {
- DEBUG(0,("open_schannel_session_store: wrong version
number %d in %s\n",
- (int)ver, fname ));
- tdb_wipe_all(tdb_sc);
- goto again;
- }
- if (ver != SCHANNEL_STORE_VERSION_CURRENT) {
- DEBUG(0,("open_schannel_session_store: wrong version
number %d in %s\n",
- (int)ver, fname ));
- tdb_close(tdb_sc);
- tdb_sc = NULL;
- }
- } else {
- tdb_close(tdb_sc);
- tdb_sc = NULL;
- DEBUG(0,("open_schannel_session_store: wrong version number
size %d in %s\n",
- (int)vers.dsize, fname ));
+ if (asprintf(&tdbkey, "SECRETS/GENERIC/%s/%s", owner, key) < 0) {
+ DEBUG(0, ("asprintf failed!\n"));
+ return False;
}
- SAFE_FREE(vers.dptr);
- TALLOC_FREE(fname);
+ ret = secrets_store(tdbkey, secret, strlen(secret)+1);
- return tdb_sc;
+ SAFE_FREE(tdbkey);
+ return ret;
}
-bool secrets_store_generic(const char *owner, const char *key, const char
*secret)
+bool secrets_delete_generic(const char *owner, const char *key)
{
char *tdbkey = NULL;
bool ret;
@@ -1205,7 +1158,7 @@ bool secrets_store_generic(const char *owner, const char
*key, const char *secre
return False;
}
- ret = secrets_store(tdbkey, secret, strlen(secret)+1);
+ ret = secrets_delete(tdbkey);
SAFE_FREE(tdbkey);
return ret;
diff --git a/source3/passdb/secrets_schannel.c
b/source3/passdb/secrets_schannel.c
index 84a860e..f4da625 100644
--- a/source3/passdb/secrets_schannel.c
+++ b/source3/passdb/secrets_schannel.c
@@ -21,6 +21,69 @@
#include "../libcli/auth/schannel_state.h"
/******************************************************************************
+ Open or create the schannel session store tdb.
+*******************************************************************************/
+
+#define SCHANNEL_STORE_VERSION_1 1
+#define SCHANNEL_STORE_VERSION_2 2 /* should not be used */
+#define SCHANNEL_STORE_VERSION_CURRENT SCHANNEL_STORE_VERSION_1
+
+TDB_CONTEXT *open_schannel_session_store(TALLOC_CTX *mem_ctx)
+{
+ TDB_DATA vers;
+ uint32 ver;
+ TDB_CONTEXT *tdb_sc = NULL;
+ char *fname = talloc_asprintf(mem_ctx, "%s/schannel_store.tdb",
lp_private_dir());
+
+ if (!fname) {
+ return NULL;
+ }
+
+ tdb_sc = tdb_open_log(fname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
+
+ if (!tdb_sc) {
+ DEBUG(0,("open_schannel_session_store: Failed to open %s\n",
fname));
+ TALLOC_FREE(fname);
+ return NULL;
+ }
+
+ again:
+ vers = tdb_fetch_bystring(tdb_sc, "SCHANNEL_STORE_VERSION");
+ if (vers.dptr == NULL) {
+ /* First opener, no version. */
+ SIVAL(&ver,0,SCHANNEL_STORE_VERSION_CURRENT);
+ vers.dptr = (uint8 *)&ver;
+ vers.dsize = 4;
+ tdb_store_bystring(tdb_sc, "SCHANNEL_STORE_VERSION", vers,
TDB_REPLACE);
+ vers.dptr = NULL;
+ } else if (vers.dsize == 4) {
+ ver = IVAL(vers.dptr,0);
+ if (ver == SCHANNEL_STORE_VERSION_2) {
+ DEBUG(0,("open_schannel_session_store: wrong version
number %d in %s\n",
+ (int)ver, fname ));
+ tdb_wipe_all(tdb_sc);
+ goto again;
+ }
+ if (ver != SCHANNEL_STORE_VERSION_CURRENT) {
+ DEBUG(0,("open_schannel_session_store: wrong version
number %d in %s\n",
+ (int)ver, fname ));
+ tdb_close(tdb_sc);
+ tdb_sc = NULL;
+ }
+ } else {
+ tdb_close(tdb_sc);
+ tdb_sc = NULL;
+ DEBUG(0,("open_schannel_session_store: wrong version number
size %d in %s\n",
+ (int)vers.dsize, fname ));
+ }
+
+ SAFE_FREE(vers.dptr);
+ TALLOC_FREE(fname);
+
+ return tdb_sc;
+}
+
+/******************************************************************************
Wrapper around schannel_fetch_session_key_tdb()
Note we must be root here.
*******************************************************************************/
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index a9a4fa5..d90dfee 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -59,6 +59,20 @@ const struct generic_mapping lsa_policy_mapping = {
LSA_POLICY_ALL_ACCESS
};
+const struct generic_mapping lsa_secret_mapping = {
+ LSA_SECRET_READ,
+ LSA_SECRET_WRITE,
+ LSA_SECRET_EXECUTE,
+ LSA_SECRET_ALL_ACCESS
+};
+
+const struct generic_mapping lsa_trusted_domain_mapping = {
+ LSA_TRUSTED_DOMAIN_READ,
+ LSA_TRUSTED_DOMAIN_WRITE,
+ LSA_TRUSTED_DOMAIN_EXECUTE,
+ LSA_TRUSTED_DOMAIN_ALL_ACCESS
+};
+
/***************************************************************************
init_lsa_ref_domain_list - adds a domain if it's not already in, returns the
index.
***************************************************************************/
@@ -372,9 +386,8 @@ NTSTATUS _lsa_OpenPolicy2(pipes_struct *p,
}
status = access_check_object(psd, p->server_info->ptok,
- NULL, 0, des_access,
- &acc_granted, "_lsa_OpenPolicy2" );
-
+ NULL, 0, des_access,
+ &acc_granted, "_lsa_OpenPolicy2" );
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -1017,23 +1030,24 @@ NTSTATUS _lsa_LookupSids3(pipes_struct *p,
/***************************************************************************
***************************************************************************/
-static int lsa_lookup_level_to_flags(uint16 level)
+static int lsa_lookup_level_to_flags(enum lsa_LookupNamesLevel level)
{
int flags;
switch (level) {
- case 1:
+ case LSA_LOOKUP_NAMES_ALL: /* 1 */
flags = LOOKUP_NAME_ALL;
break;
- case 2:
+ case LSA_LOOKUP_NAMES_DOMAINS_ONLY: /* 2 */
flags =
LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
break;
- case 3:
+ case LSA_LOOKUP_NAMES_PRIMARY_DOMAIN_ONLY: /* 3 */
flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
break;
- case 4:
- case 5:
- case 6:
+ case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY: /* 4 */
+ case LSA_LOOKUP_NAMES_FOREST_TRUSTS_ONLY: /* 5 */
+ case LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2: /* 6 */
+ case LSA_LOOKUP_NAMES_RODC_REFERRAL_TO_FULL_DC: /* 7 */
default:
flags = LOOKUP_NAME_NONE;
break;
@@ -1674,9 +1688,9 @@ NTSTATUS _lsa_CreateAccount(pipes_struct *p,
return status;
}
- status = access_check_object(psd, p->server_info->ptok,
- NULL, 0, r->in.access_mask,
- &acc_granted, "_lsa_CreateAccount");
+ status = access_check_object(psd, p->server_info->ptok,
+ NULL, 0, r->in.access_mask,
+ &acc_granted, "_lsa_CreateAccount");
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -1745,9 +1759,8 @@ NTSTATUS _lsa_OpenAccount(pipes_struct *p,
}
status = access_check_object(psd, p->server_info->ptok,
- NULL, 0, des_access,
- &acc_granted, "_lsa_OpenAccount" );
-
+ NULL, 0, des_access,
+ &acc_granted, "_lsa_OpenAccount" );
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -2137,10 +2150,10 @@ NTSTATUS _lsa_AddAccountRights(pipes_struct *p,
* on the account sid. We don't check here so just use the latter. JRA.
*/
- status = access_check_object(psd, p->server_info->ptok,
- NULL, 0,
LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
- &acc_granted, "_lsa_AddAccountRights" );
-
+ status = access_check_object(psd, p->server_info->ptok,
+ NULL, 0,
+
LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
+ &acc_granted, "_lsa_AddAccountRights" );
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -2207,11 +2220,11 @@ NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p,
* and DELETE on the account sid.
*/
- status = access_check_object(psd, p->server_info->ptok,
- NULL, 0,
LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
- LSA_ACCOUNT_VIEW|STD_RIGHT_DELETE_ACCESS,
- &acc_granted, "_lsa_AddAccountRights" );
-
+ status = access_check_object(psd, p->server_info->ptok,
+ NULL, 0,
+
LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
+ LSA_ACCOUNT_VIEW|STD_RIGHT_DELETE_ACCESS,
+ &acc_granted, "_lsa_RemoveAccountRights");
if (!NT_STATUS_IS_OK(status)) {
return status;
}
diff --git a/source3/utils/net_sam.c b/source3/utils/net_sam.c
index 95405f3..fe84ce4 100644
--- a/source3/utils/net_sam.c
+++ b/source3/utils/net_sam.c
@@ -137,7 +137,7 @@ static int net_sam_set_userflag(struct net_context *c, int
argc,
enum lsa_SidType type;
const char *dom, *name;
NTSTATUS status;
- uint16 acct_flags;
+ uint32_t acct_flags;
if ((argc != 2) || c->display_usage ||
(!strequal(argv[1], "yes") &&
--
Samba Shared Repository
