s4-auth Remove duplicate copies of session_info creation code

We now just do or do not call into LDB based on some flags.

This means there may be some more link time dependencies, but we seem
to deal with those better now.

Andrew Bartlett

1 files changed, 22 insertions, 5 deletions

diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index 7ba440006a..a8428a9c54 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -222,11 +222,28 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
 		}
 	}
 
-	/* setup the privilege mask for this token */
-	status = samdb_privilege_setup(lp_ctx, ptoken);
-	if (!NT_STATUS_IS_OK(status)) {
-		talloc_free(ptoken);
-		return status;
+	/* The caller may have requested simple privilages, for example if there isn't a local DB */
+	if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) {
+		/* Shortcuts to prevent recursion and avoid lookups */
+		if (ptoken->sids == NULL) {
+			ptoken->privilege_mask = 0;
+		} else if (security_token_is_system(ptoken)) {
+			ptoken->privilege_mask = ~0;
+		} else if (security_token_is_anonymous(ptoken)) {
+			ptoken->privilege_mask = 0;
+		} else if (security_token_has_builtin_administrators(ptoken)) {
+			ptoken->privilege_mask = ~0;
+		} else {
+			/* All other 'users' get a empty priv set so far */
+			ptoken->privilege_mask = 0;
+		}
+	} else {
+		/* setup the privilege mask for this token */
+		status = samdb_privilege_setup(lp_ctx, ptoken);
+		if (!NT_STATUS_IS_OK(status)) {
+			talloc_free(ptoken);
+			return status;
+		}
 	}
 
 	security_token_debug(0, 10, ptoken);