s3-lsa: let _lsa_GetSystemAccessAccount() call into _lsa_EnumPrivsAccount().

Inspired by lsa server from Samba 4.

Just removing a user in SAMR does not remove a user in LSA. If you use
usermanager from windows, the "User Rights" management gui gets unaccessable as
soon as you delete a user that had privileges granted. With this fix, that
no longer existing user would properly appear as an unknown account in the GUI
(as it does while using usermanager with windows domains).

This almost makes Samba3 pass the RPC-SAMR-USERS-PRIVILEGES test.

Guenther

1 files changed, 23 insertions, 3 deletions

diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index 7cddb5cb85..dd0bfe1492 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -1717,7 +1717,10 @@ NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
 NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
 				     struct lsa_GetSystemAccessAccount *r)
 {
-	struct lsa_info *info=NULL;
+	NTSTATUS status;
+	struct lsa_info *info = NULL;
+	struct lsa_EnumPrivsAccount e;
+	struct lsa_PrivilegeSet *privset;
 
 	/* find the connection policy handle. */
 
@@ -1727,8 +1730,25 @@ NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
 	if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
 		return NT_STATUS_ACCESS_DENIED;
 
-	if (!lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, NULL))
-		return NT_STATUS_ACCESS_DENIED;
+	privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet);
+	if (!privset) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	e.in.handle = r->in.handle;
+	e.out.privs = &privset;
+
+	status = _lsa_EnumPrivsAccount(p, &e);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(10,("_lsa_GetSystemAccessAccount: "
+			"failed to call _lsa_EnumPrivsAccount(): %s\n",
+			nt_errstr(status)));
+		return status;
+	}
+
+	/* Samba4 would iterate over the privset to merge the policy mode bits,
+	 * not sure samba3 can do the same here, so just return what we did in
+	 * the past - gd */
 
 	/*
 	  0x01 -> Log on locally