From 361caafeebb37f6247f7ede38a50a70323fdd107 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 15 May 2009 17:54:27 -0700
Subject: [PATCH] Add extra abilities for a user with SeAddUsers, so they can
 manipulate groups and aliases. Jeremy.

---
 source3/rpc_server/srv_samr_nt.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index d66199e8aa3..2979d7100d1 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -605,6 +605,7 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p,
 	uint32    des_access = r->in.access_mask;
 	NTSTATUS  status;
 	size_t    sd_size;
+	uint32_t extra_access = SAMR_DOMAIN_ACCESS_CREATE_USER;
 	SE_PRIV se_rights;
 
 	/* find the connection policy handle. */
@@ -620,13 +621,25 @@ NTSTATUS _samr_OpenDomain(pipes_struct *p,
 
 	/*
 	 * Users with SeMachineAccount or SeAddUser get additional
-	 * SAMR_DOMAIN_ACCESS_CREATE_USER access, but no more.
+	 * SAMR_DOMAIN_ACCESS_CREATE_USER access.
 	 */
 	se_priv_copy( &se_rights, &se_machine_account );
 	se_priv_add( &se_rights, &se_add_users );
 
+	/*
+	 * Users with SeAddUser get the ability to manipulate groups
+	 * and aliases.
+	 */
+	if (user_has_any_privilege(p->server_info->ptok, &se_add_users)) {
+		extra_access |= (SAMR_DOMAIN_ACCESS_CREATE_GROUP |
+				SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS |
+				SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT |
+				SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS |
+				SAMR_DOMAIN_ACCESS_CREATE_ALIAS);
+	}
+
 	status = access_check_samr_object( psd, p->server_info->ptok,
-		&se_rights, SAMR_DOMAIN_ACCESS_CREATE_USER, des_access,
+		&se_rights, extra_access, des_access,
 		&acc_granted, "_samr_OpenDomain" );
 
 	if ( !NT_STATUS_IS_OK(status) )
-- 
2.11.4.GIT