SAMR_ACCESS_UNKNOWN_1 )
/* Access bits to Domain-objects */
-
-#define DOMAIN_ACCESS_LOOKUP_INFO_1 0x00000001
-#define DOMAIN_ACCESS_SET_INFO_1 0x00000002
-#define DOMAIN_ACCESS_LOOKUP_INFO_2 0x00000004
-#define DOMAIN_ACCESS_SET_INFO_2 0x00000008
-#define DOMAIN_ACCESS_CREATE_USER 0x00000010
-#define DOMAIN_ACCESS_CREATE_GROUP 0x00000020
-#define DOMAIN_ACCESS_CREATE_ALIAS 0x00000040
-#define DOMAIN_ACCESS_UNKNOWN_80 0x00000080
-#define DOMAIN_ACCESS_ENUM_ACCOUNTS 0x00000100
-#define DOMAIN_ACCESS_OPEN_ACCOUNT 0x00000200
-#define DOMAIN_ACCESS_SET_INFO_3 0x00000400
-
-#define DOMAIN_ALL_ACCESS ( STANDARD_RIGHTS_REQUIRED_ACCESS | \
- DOMAIN_ACCESS_SET_INFO_3 | \
- DOMAIN_ACCESS_OPEN_ACCOUNT | \
- DOMAIN_ACCESS_ENUM_ACCOUNTS | \
- DOMAIN_ACCESS_UNKNOWN_80 | \
- DOMAIN_ACCESS_CREATE_ALIAS | \
- DOMAIN_ACCESS_CREATE_GROUP | \
- DOMAIN_ACCESS_CREATE_USER | \
- DOMAIN_ACCESS_SET_INFO_2 | \
- DOMAIN_ACCESS_LOOKUP_INFO_2 | \
- DOMAIN_ACCESS_SET_INFO_1 | \
- DOMAIN_ACCESS_LOOKUP_INFO_1 )
-
-#define DOMAIN_READ ( STANDARD_RIGHTS_READ_ACCESS | \
- DOMAIN_ACCESS_UNKNOWN_80 | \
- DOMAIN_ACCESS_LOOKUP_INFO_2 )
-
-#define DOMAIN_WRITE ( STANDARD_RIGHTS_WRITE_ACCESS | \
- DOMAIN_ACCESS_SET_INFO_3 | \
- DOMAIN_ACCESS_CREATE_ALIAS | \
- DOMAIN_ACCESS_CREATE_GROUP | \
- DOMAIN_ACCESS_CREATE_USER | \
- DOMAIN_ACCESS_SET_INFO_2 | \
- DOMAIN_ACCESS_SET_INFO_1 )
-
-#define DOMAIN_EXECUTE ( STANDARD_RIGHTS_EXECUTE_ACCESS | \
- DOMAIN_ACCESS_OPEN_ACCOUNT | \
- DOMAIN_ACCESS_ENUM_ACCOUNTS | \
- DOMAIN_ACCESS_LOOKUP_INFO_1 )
-
+
+#define DOMAIN_ACCESS_LOOKUP_INFO_1 0x000000001
+#define DOMAIN_ACCESS_SET_INFO_1 0x000000002
+#define DOMAIN_ACCESS_LOOKUP_INFO_2 0x000000004
+#define DOMAIN_ACCESS_SET_INFO_2 0x000000008
+#define DOMAIN_ACCESS_CREATE_USER 0x000000010
+#define DOMAIN_ACCESS_CREATE_GROUP 0x000000020
+#define DOMAIN_ACCESS_CREATE_ALIAS 0x000000040
+#define DOMAIN_ACCESS_LOOKUP_ALIAS_BY_MEM 0x000000080
+#define DOMAIN_ACCESS_ENUM_ACCOUNTS 0x000000100
+#define DOMAIN_ACCESS_OPEN_ACCOUNT 0x000000200
+#define DOMAIN_ACCESS_SET_INFO_3 0x000000400
+
+#define DOMAIN_ALL_ACCESS ( STANDARD_RIGHTS_REQUIRED_ACCESS | \
+ DOMAIN_ACCESS_SET_INFO_3 | \
+ DOMAIN_ACCESS_OPEN_ACCOUNT | \
+ DOMAIN_ACCESS_ENUM_ACCOUNTS | \
+ DOMAIN_ACCESS_LOOKUP_ALIAS_BY_MEM | \
+ DOMAIN_ACCESS_CREATE_ALIAS | \
+ DOMAIN_ACCESS_CREATE_GROUP | \
+ DOMAIN_ACCESS_CREATE_USER | \
+ DOMAIN_ACCESS_SET_INFO_2 | \
+ DOMAIN_ACCESS_LOOKUP_INFO_2 | \
+ DOMAIN_ACCESS_SET_INFO_1 | \
+ DOMAIN_ACCESS_LOOKUP_INFO_1 )
+
+#define DOMAIN_READ ( STANDARD_RIGHTS_READ_ACCESS | \
+ DOMAIN_ACCESS_LOOKUP_ALIAS_BY_MEM | \
+ DOMAIN_ACCESS_LOOKUP_INFO_2 )
+
+#define DOMAIN_WRITE ( STANDARD_RIGHTS_WRITE_ACCESS | \
+ DOMAIN_ACCESS_SET_INFO_3 | \
+ DOMAIN_ACCESS_CREATE_ALIAS | \
+ DOMAIN_ACCESS_CREATE_GROUP | \
+ DOMAIN_ACCESS_CREATE_USER | \
+ DOMAIN_ACCESS_SET_INFO_2 | \
+ DOMAIN_ACCESS_SET_INFO_1 )
+
+#define DOMAIN_EXECUTE ( STANDARD_RIGHTS_EXECUTE_ACCESS | \
+ DOMAIN_ACCESS_OPEN_ACCOUNT | \
+ DOMAIN_ACCESS_ENUM_ACCOUNTS | \
+ DOMAIN_ACCESS_LOOKUP_INFO_1 )
+
/* Access bits to User-objects */
#define USER_ACCESS_GET_NAME_ETC 0x00000001
uint32 *rids=NULL, *new_rids=NULL, *tmp_rids=NULL;
struct samr_info *info = NULL;
int i,j;
+
+ NTSTATUS ntstatus1;
+ NTSTATUS ntstatus2;
+
/* until i see a real useraliases query, we fack one up */
/* I have seen one, JFM 2/12/2001 */
if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
return NT_STATUS_INVALID_HANDLE;
- if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, USER_ACCESS_GET_GROUPS, "_samr_query_useraliases"))) {
- return r_u->status;
- }
+ ntstatus1 = access_check_samr_function(info->acc_granted, DOMAIN_ACCESS_LOOKUP_ALIAS_BY_MEM, "_samr_query_useraliases");
+ ntstatus2 = access_check_samr_function(info->acc_granted, DOMAIN_ACCESS_OPEN_ACCOUNT, "_samr_query_useraliases");
+
+ if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) {
+ if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) &&
+ !(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus1))) {
+ return (NT_STATUS_IS_OK(ntstatus1)) ? ntstatus2 : ntstatus1;
+ }
+ }
if (!sid_check_is_domain(&info->sid) &&
!sid_check_is_builtin(&info->sid))
if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted))
return NT_STATUS_INVALID_HANDLE;
- if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, ALIAS_ACCESS_GET_MEMBERS, "_samr_query_aliasmem"))) {
+ if (!NT_STATUS_IS_OK(r_u->status =
+ access_check_samr_function(acc_granted, ALIAS_ACCESS_GET_MEMBERS, "_samr_query_aliasmem"))) {
return r_u->status;
}