2 files changed, 21 insertions, 4 deletions

diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index 717b72ded2..93cf6f4b8d 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -32,9 +32,14 @@
   connect to the SAM database
   return an opaque context pointer on success, or NULL on failure
  */
-struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx)
+struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx, struct auth_session_info *session_info)
 {
-	return ldb_wrap_connect(mem_ctx, lp_sam_url(), 0, NULL);
+	struct ldb_context *ldb;
+	ldb = ldb_wrap_connect(mem_ctx, lp_sam_url(), 0, NULL);
+	if (ldb_set_opaque(ldb, "sessionInfo", session_info)) {
+		return NULL;
+	}
+	return ldb;
 }
 
 /*
diff --git a/source4/dsdb/samdb/samdb_privilege.c b/source4/dsdb/samdb/samdb_privilege.c
index 059d612225..55dfef04aa 100644
--- a/source4/dsdb/samdb/samdb_privilege.c
+++ b/source4/dsdb/samdb/samdb_privilege.c
@@ -75,11 +75,23 @@ static NTSTATUS samdb_privilege_setup_sid(void *samctx, TALLOC_CTX *mem_ctx,
 NTSTATUS samdb_privilege_setup(struct security_token *token)
 {
 	void *samctx;
-	TALLOC_CTX *mem_ctx = talloc_new(token);
+	TALLOC_CTX *mem_ctx;
 	int i;
 	NTSTATUS status;
 
-	samctx = samdb_connect(mem_ctx);
+	/* Shortcuts to prevent recursion and avoid lookups */
+	if (is_system_token(token)) {
+		token->privilege_mask = ~0;
+		return NT_STATUS_OK;
+	}
+
+	if (is_anonymous_token(token)) {
+		token->privilege_mask = 0;
+		return NT_STATUS_OK;
+	}
+
+	mem_ctx = talloc_new(token);
+	samctx = samdb_connect(mem_ctx, system_session(mem_ctx));
 	if (samctx == NULL) {
 		talloc_free(mem_ctx);
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;