From 8bb93e555842c51a3722c46bcc8401f3944b1b3d Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 15 Apr 2009 14:31:43 -0700
Subject: Fix bug #6089 - Winbind samr_OpenDomain not possible with Samba
 3.2.6+ What a difference a name makes... :-). Just because something is
 missnamed SA_RIGHT_SAM_OPEN_DOMAIN, when it should actually be
 SA_RIGHT_SAM_LOOKUP_DOMAIN, don't automatically use it for a security check
 in _samr_OpenDomain(). Jeremy. (cherry picked from commit
 8a985bcfe4aee7e602601fe78a94757dce645fcc)

---
 source/rpc_server/srv_samr_nt.c | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

(limited to 'source/rpc_server/srv_samr_nt.c')

diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c
index a946d2ed6d1..ec62662de22 100644
--- a/source/rpc_server/srv_samr_nt.c
+++ b/source/rpc_server/srv_samr_nt.c
@@ -620,13 +620,6 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p,
 	if ( !find_policy_by_hnd(p, r->in.connect_handle, (void**)(void *)&info) )
 		return NT_STATUS_INVALID_HANDLE;
 
-	status = access_check_samr_function(info->acc_granted,
-					    SAMR_ACCESS_OPEN_DOMAIN,
-					    "_samr_OpenDomain" );
-
-	if ( !NT_STATUS_IS_OK(status) )
-		return status;
-
 	/*check if access can be granted as requested by client. */
 	map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
 
@@ -2897,7 +2890,7 @@ NTSTATUS _samr_QueryDomainInfo(pipes_struct *p,
 	}
 
 	status = access_check_samr_function(info->acc_granted,
-					    SAMR_ACCESS_OPEN_DOMAIN,
+					    SAMR_ACCESS_LOOKUP_DOMAIN,
 					    "_samr_QueryDomainInfo" );
 
 	if ( !NT_STATUS_IS_OK(status) )
@@ -3322,7 +3315,7 @@ NTSTATUS _samr_Connect(pipes_struct *p,
 	map_max_allowed_access(p->pipe_user.nt_user_token, &des_access);
 
 	se_map_generic( &des_access, &sam_generic_mapping );
-	info->acc_granted = des_access & (SAMR_ACCESS_ENUM_DOMAINS|SAMR_ACCESS_OPEN_DOMAIN);
+	info->acc_granted = des_access & (SAMR_ACCESS_ENUM_DOMAINS|SAMR_ACCESS_LOOKUP_DOMAIN);
 
 	/* get a (unique) handle.  open a policy on it. */
 	if (!create_policy_hnd(p, r->out.connect_handle, free_samr_info, (void *)info))
@@ -3458,7 +3451,7 @@ NTSTATUS _samr_LookupDomain(pipes_struct *p,
 	   Reverted that change so we will work with RAS servers again */
 
 	status = access_check_samr_function(info->acc_granted,
-					    SAMR_ACCESS_OPEN_DOMAIN,
+					    SAMR_ACCESS_LOOKUP_DOMAIN,
 					    "_samr_LookupDomain");
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
-- 
cgit