diff options
| author | Stefan Metzmacher <metze@samba.org> | 2013-06-10 13:31:59 +0200 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2013-06-13 13:57:42 +0200 |
| commit | 5959affa031843d741513000fb382efe54ff147b (patch) | |
| tree | 1cdcb63169931577f849289462ce54979efdf972 /source4/dsdb | |
| parent | afb2bcc08489dbece732fc8f842cbd83862320be (diff) | |
| download | samba-5959affa031843d741513000fb382efe54ff147b.tar.gz samba-5959affa031843d741513000fb382efe54ff147b.tar.bz2 samba-5959affa031843d741513000fb382efe54ff147b.zip | |
dsdb: use AS_SYSTEM | SHOW_RECYCLED for access check searches
We need AS_SYSTEM in order to get the nTSecurityDescriptor attribute.
Also the result of this search not controlled by the client
nor is the result exposed to the client.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/dsdb')
| -rw-r--r-- | source4/dsdb/common/dsdb_access.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/source4/dsdb/common/dsdb_access.c b/source4/dsdb/common/dsdb_access.c index 6af5c3ae87..84005b3e5e 100644 --- a/source4/dsdb/common/dsdb_access.c +++ b/source4/dsdb/common/dsdb_access.c @@ -159,7 +159,13 @@ int dsdb_check_access_on_dn(struct ldb_context *ldb, } } - ret = dsdb_search_dn(ldb, mem_ctx, &acl_res, dn, acl_attrs, DSDB_SEARCH_SHOW_DELETED); + /* + * We need AS_SYSTEM in order to get the nTSecurityDescriptor attribute. + * Also the result of this search not controlled by the client + * nor is the result exposed to the client. + */ + ret = dsdb_search_dn(ldb, mem_ctx, &acl_res, dn, acl_attrs, + DSDB_FLAG_AS_SYSTEM | DSDB_SEARCH_SHOW_RECYCLED); if (ret != LDB_SUCCESS) { DEBUG(10,("access_check: failed to find object %s\n", ldb_dn_get_linearized(dn))); return ret; |