The branch, v3-2-test has been updated via 3591c95beaed3abfa10b1579e377b0103647a177 (commit) from 6d308951c5b0fec988685f64f040f0770b537efb (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-2-test - Log ----------------------------------------------------------------- commit 3591c95beaed3abfa10b1579e377b0103647a177 Author: Jeremy Allison <j...@samba.org> Date: Wed Apr 15 14:09:32 2009 -0700 Fix bug #6089 - Winbind samr_OpenDomain not possible with Samba 3.2.6+ What a difference a name makes... :-). Just because something is missnamed SA_RIGHT_SAM_OPEN_DOMAIN, when it should actually be SA_RIGHT_SAM_LOOKUP_DOMAIN, don't automatically use it for a security check in _samr_OpenDomain(). Jeremy. ----------------------------------------------------------------------- Summary of changes: source/include/rpc_secdes.h | 4 ++-- source/rpc_server/srv_samr_nt.c | 13 +++---------- source/utils/net_rpc.c | 2 +- 3 files changed, 6 insertions(+), 13 deletions(-) Changeset truncated at 500 lines: diff --git a/source/include/rpc_secdes.h b/source/include/rpc_secdes.h index 649e806..bf5b85f 100644 --- a/source/include/rpc_secdes.h +++ b/source/include/rpc_secdes.h @@ -224,7 +224,7 @@ struct standard_mapping { #define SA_RIGHT_SAM_INITIALISE_SERVER 0x00000004 #define SA_RIGHT_SAM_CREATE_DOMAIN 0x00000008 #define SA_RIGHT_SAM_ENUM_DOMAINS 0x00000010 -#define SA_RIGHT_SAM_OPEN_DOMAIN 0x00000020 +#define SA_RIGHT_SAM_LOOKUP_DOMAIN 0x00000020 #define SA_RIGHT_SAM_ALL_ACCESS 0x0000003F @@ -244,7 +244,7 @@ struct standard_mapping { #define GENERIC_RIGHTS_SAM_EXECUTE \ (STANDARD_RIGHTS_EXECUTE_ACCESS | \ - SA_RIGHT_SAM_OPEN_DOMAIN | \ + SA_RIGHT_SAM_LOOKUP_DOMAIN | \ SA_RIGHT_SAM_CONNECT_SERVER) diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c index 6e37ea5..f14c53b 100644 --- a/source/rpc_server/srv_samr_nt.c +++ b/source/rpc_server/srv_samr_nt.c @@ -620,13 +620,6 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p, if ( !find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info) ) return NT_STATUS_INVALID_HANDLE; - status = access_check_samr_function(info->acc_granted, - SA_RIGHT_SAM_OPEN_DOMAIN, - "_samr_OpenDomain" ); - - if ( !NT_STATUS_IS_OK(status) ) - return status; - /*check if access can be granted as requested by client. */ map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); @@ -2957,7 +2950,7 @@ NTSTATUS _samr_QueryDomainInfo(pipes_struct *p, } status = access_check_samr_function(info->acc_granted, - SA_RIGHT_SAM_OPEN_DOMAIN, + SA_RIGHT_SAM_LOOKUP_DOMAIN, "_samr_QueryDomainInfo" ); if ( !NT_STATUS_IS_OK(status) ) @@ -3357,7 +3350,7 @@ NTSTATUS _samr_Connect(pipes_struct *p, map_max_allowed_access(p->pipe_user.nt_user_token, &des_access); se_map_generic( &des_access, &sam_generic_mapping ); - info->acc_granted = des_access & (SA_RIGHT_SAM_ENUM_DOMAINS|SA_RIGHT_SAM_OPEN_DOMAIN); + info->acc_granted = des_access & (SA_RIGHT_SAM_ENUM_DOMAINS|SA_RIGHT_SAM_LOOKUP_DOMAIN); /* get a (unique) handle. open a policy on it. */ if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info)) @@ -3544,7 +3537,7 @@ NTSTATUS _samr_LookupDomain(pipes_struct *p, Reverted that change so we will work with RAS servers again */ status = access_check_samr_function(info->acc_granted, - SA_RIGHT_SAM_OPEN_DOMAIN, + SA_RIGHT_SAM_LOOKUP_DOMAIN, "_samr_LookupDomain"); if (!NT_STATUS_IS_OK(status)) { return status; diff --git a/source/utils/net_rpc.c b/source/utils/net_rpc.c index 0476394..1eaa1c6 100644 --- a/source/utils/net_rpc.c +++ b/source/utils/net_rpc.c @@ -6280,7 +6280,7 @@ static int rpc_trustdom_list(int argc, const char **argv) /* SamrConnect2 */ nt_status = rpccli_samr_Connect2(pipe_hnd, mem_ctx, pipe_hnd->cli->desthost, - SA_RIGHT_SAM_OPEN_DOMAIN, + SA_RIGHT_SAM_LOOKUP_DOMAIN, &connect_hnd); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Couldn't open SAMR policy handle. Error was %s\n", -- Samba Shared Repository