level of access for further checks.
********************************************************************/
-NTSTATUS access_check_samr_object(SEC_DESC *psd, NT_USER_TOKEN *nt_user_token, uint32 des_access,
+static NTSTATUS access_check_samr_object(SEC_DESC *psd, NT_USER_TOKEN *nt_user_token, uint32 des_access,
uint32 *acc_granted, const char *debug)
{
NTSTATUS status = NT_STATUS_ACCESS_DENIED;
Checks if access to a function can be granted
********************************************************************/
-NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug)
+static NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug)
{
DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n",
debug, acc_granted, acc_required));
uint32 new_rid = 0;
/* check this, when giving away 'add computer to domain' privs */
uint32 des_access = GENERIC_RIGHTS_USER_ALL_ACCESS;
- BOOL is_domain_admin = False;
+ BOOL can_add_machines = False;
+ SE_PRIV se_machineop = SE_MACHINE_ACCOUNT;
/* Get the domain SID stored in the domain policy */
if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted))
/* check to see if we are a domain admin */
- is_domain_admin = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS );
+ can_add_machines = user_has_privileges( p->pipe_user.nt_user_token, &se_machineop );
DEBUG(5, ("_samr_create_user: %s is%s a member of the Domain Admins group\n",
- p->pipe_user_name, is_domain_admin ? "" : " not"));
+ p->pipe_user_name, can_add_machines ? "" : " not"));
pdb_init_sam(&sam_pass);
pw = Get_Pwnam(account);
- /* ================ BEGIN DOMAIN ADMIN BLOCK ================ */
+ /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
- if ( is_domain_admin )
+ if ( can_add_machines )
become_root();
if ( !pw ) {
/* implicit call to getpwnam() next. we have a valid SID coming out of this call */
if ( !NT_STATUS_IS_OK(nt_status = pdb_init_sam_new(&sam_pass, account, new_rid)) ) {
- if ( is_domain_admin )
+ if ( can_add_machines )
unbecome_root();
return nt_status;
}
ret = pdb_add_sam_account(sam_pass);
- if ( is_domain_admin )
+ if ( can_add_machines )
unbecome_root();
- /* ================ END DOMAIN ADMIN BLOCK ================ */
+ /* ================ END SeMachineAccountPrivilege BLOCK ================ */
if ( !ret ) {
pdb_free_sam(&sam_pass);
SAM_USERINFO_CTR *ctr = q_u->ctr;
uint32 acc_granted;
uint32 acc_required;
- BOOL is_domain_admin;
+ BOOL can_add_machines;
+ SE_PRIV se_machineop = SE_MACHINE_ACCOUNT;
DEBUG(5, ("_samr_set_userinfo: %d\n", __LINE__));
/* check to see if we are a domain admin */
- is_domain_admin = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS );
+ can_add_machines = user_has_privileges( p->pipe_user.nt_user_token, &se_machineop );
DEBUG(5, ("_samr_create_user: %s is%s a member of the Domain Admins group\n",
- p->pipe_user_name, is_domain_admin ? "" : " not"));
+ p->pipe_user_name, can_add_machines ? "" : " not"));
- /* ================ BEGIN DOMAIN ADMIN BLOCK ================ */
+ /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
- if ( is_domain_admin )
+ if ( can_add_machines )
become_root();
/* ok! user info levels (lots: see MSDEV help), off we go... */
}
- if ( is_domain_admin )
+ if ( can_add_machines )
unbecome_root();
- /* ================ END DOMAIN ADMIN BLOCK ================ */
+ /* ================ END SeMachineAccountPrivilege BLOCK ================ */
return r_u->status;
}
uint16 switch_value = q_u->switch_value;
uint32 acc_granted;
uint32 acc_required;
- BOOL is_domain_admin;
+ BOOL can_add_machines;
+ SE_PRIV se_machineop = SE_MACHINE_ACCOUNT;
DEBUG(5, ("samr_reply_set_userinfo2: %d\n", __LINE__));
/* check to see if we are a domain admin */
- is_domain_admin = nt_token_check_domain_rid( p->pipe_user.nt_user_token, DOMAIN_GROUP_RID_ADMINS );
+ can_add_machines = user_has_privileges( p->pipe_user.nt_user_token, &se_machineop );
DEBUG(5, ("_samr_create_user: %s is%s a member of the Domain Admins group\n",
- p->pipe_user_name, is_domain_admin ? "" : " not"));
+ p->pipe_user_name, can_add_machines ? "" : " not"));
- /* ================ BEGIN DOMAIN ADMIN BLOCK ================ */
+ /* ================ BEGIN SeMachineAccountPrivilege BLOCK ================ */
- if ( is_domain_admin )
+ if ( can_add_machines )
become_root();
/* ok! user info levels (lots: see MSDEV help), off we go... */
r_u->status = NT_STATUS_INVALID_INFO_CLASS;
}
- if ( is_domain_admin )
+ if ( can_add_machines )
unbecome_root();
- /* ================ END DOMAIN ADMIN BLOCK ================ */
+ /* ================ END SeMachineAccountPrivilege BLOCK ================ */
return r_u->status;
}