From da30272dfc7148957919989671aee7a87a267f77 Mon Sep 17 00:00:00 2001
From: =?utf8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Thu, 27 Nov 2008 01:21:49 +0100
Subject: [PATCH] s3-samr: avoid enumeration and user creation on builtin
 domain handle.

Guenther
(cherry picked from commit 85a2c0607e25b8a3ca91c50f71f4d649d29bd0e3)
---
 source/rpc_server/srv_samr_nt.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c
index ff9462e92dd..db76385a46e 100644
--- a/source/rpc_server/srv_samr_nt.c
+++ b/source/rpc_server/srv_samr_nt.c
@@ -1481,6 +1481,11 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
 	if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
 		return NT_STATUS_INVALID_HANDLE;
 
+	if (info->builtin_domain) {
+		DEBUG(5,("_samr_QueryDisplayInfo: Nothing in BUILTIN\n"));
+		return NT_STATUS_OK;
+	}
+
 	status = access_check_samr_function(info->acc_granted,
 					    SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS,
 					    "_samr_QueryDisplayInfo");
@@ -3338,6 +3343,11 @@ NTSTATUS _samr_CreateUser2(pipes_struct *p,
 				     &disp_info))
 		return NT_STATUS_INVALID_HANDLE;
 
+	if (disp_info->builtin_domain) {
+		DEBUG(5,("_samr_CreateUser2: Refusing user create in BUILTIN\n"));
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
 	nt_status = access_check_samr_function(acc_granted,
 					       SAMR_DOMAIN_ACCESS_CREATE_USER,
 					       "_samr_CreateUser2");
-- 
2.11.4.GIT