From 5959affa031843d741513000fb382efe54ff147b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 10 Jun 2013 13:31:59 +0200
Subject: dsdb: use AS_SYSTEM | SHOW_RECYCLED for access check searches

We need AS_SYSTEM in order to get the nTSecurityDescriptor attribute.
Also the result of this search not controlled by the client
nor is the result exposed to the client.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/dsdb/common/dsdb_access.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'source4/dsdb/common')

diff --git a/source4/dsdb/common/dsdb_access.c b/source4/dsdb/common/dsdb_access.c
index 6af5c3ae87..84005b3e5e 100644
--- a/source4/dsdb/common/dsdb_access.c
+++ b/source4/dsdb/common/dsdb_access.c
@@ -159,7 +159,13 @@ int dsdb_check_access_on_dn(struct ldb_context *ldb,
 		}
 	}
 
-	ret = dsdb_search_dn(ldb, mem_ctx, &acl_res, dn, acl_attrs, DSDB_SEARCH_SHOW_DELETED);
+	/*
+	 * We need AS_SYSTEM in order to get the nTSecurityDescriptor attribute.
+	 * Also the result of this search not controlled by the client
+	 * nor is the result exposed to the client.
+	 */
+	ret = dsdb_search_dn(ldb, mem_ctx, &acl_res, dn, acl_attrs,
+			     DSDB_FLAG_AS_SYSTEM | DSDB_SEARCH_SHOW_RECYCLED);
 	if (ret != LDB_SUCCESS) {
 		DEBUG(10,("access_check: failed to find object %s\n", ldb_dn_get_linearized(dn)));
 		return ret;
-- 
cgit