From 6ab0c83570b2e60e0cd3bd5f5bfb1923fd359994 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Mon, 18 May 2009 21:05:08 +0200 Subject: s3-lsa: let _lsa_GetSystemAccessAccount() call into _lsa_EnumPrivsAccount(). Inspired by lsa server from Samba 4. Just removing a user in SAMR does not remove a user in LSA. If you use usermanager from windows, the "User Rights" management gui gets unaccessable as soon as you delete a user that had privileges granted. With this fix, that no longer existing user would properly appear as an unknown account in the GUI (as it does while using usermanager with windows domains). This almost makes Samba3 pass the RPC-SAMR-USERS-PRIVILEGES test. Guenther --- source3/rpc_server/srv_lsa_nt.c | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index 7cddb5cb85..dd0bfe1492 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -1717,7 +1717,10 @@ NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p, NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p, struct lsa_GetSystemAccessAccount *r) { - struct lsa_info *info=NULL; + NTSTATUS status; + struct lsa_info *info = NULL; + struct lsa_EnumPrivsAccount e; + struct lsa_PrivilegeSet *privset; /* find the connection policy handle. */ @@ -1727,8 +1730,25 @@ NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p, if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION)) return NT_STATUS_ACCESS_DENIED; - if (!lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, NULL)) - return NT_STATUS_ACCESS_DENIED; + privset = talloc_zero(p->mem_ctx, struct lsa_PrivilegeSet); + if (!privset) { + return NT_STATUS_NO_MEMORY; + } + + e.in.handle = r->in.handle; + e.out.privs = &privset; + + status = _lsa_EnumPrivsAccount(p, &e); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10,("_lsa_GetSystemAccessAccount: " + "failed to call _lsa_EnumPrivsAccount(): %s\n", + nt_errstr(status))); + return status; + } + + /* Samba4 would iterate over the privset to merge the policy mode bits, + * not sure samba3 can do the same here, so just return what we did in + * the past - gd */ /* 0x01 -> Log on locally -- cgit