dsdb: use AS_SYSTEM | SHOW_RECYCLED for access check searches

We need AS_SYSTEM in order to get the nTSecurityDescriptor attribute.
Also the result of this search not controlled by the client
nor is the result exposed to the client.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/common/dsdb_access.c b/source4/dsdb/common/dsdb_access.c
index 6af5c3ae879ad927b6592fbcbbfae25c557ea198..84005b3e5ef355b2f63bfeb0248f5b67c9e179f9 100644 (file)
--- a/source4/dsdb/common/dsdb_access.c
+++ b/source4/dsdb/common/dsdb_access.c
@@ -159,7 +159,13 @@ int dsdb_check_access_on_dn(struct ldb_context *ldb,
                }
        }
 
-       ret = dsdb_search_dn(ldb, mem_ctx, &acl_res, dn, acl_attrs, DSDB_SEARCH_SHOW_DELETED);
+       /*
+        * We need AS_SYSTEM in order to get the nTSecurityDescriptor attribute.
+        * Also the result of this search not controlled by the client
+        * nor is the result exposed to the client.
+        */
+       ret = dsdb_search_dn(ldb, mem_ctx, &acl_res, dn, acl_attrs,
+                            DSDB_FLAG_AS_SYSTEM | DSDB_SEARCH_SHOW_RECYCLED);
        if (ret != LDB_SUCCESS) {
                DEBUG(10,("access_check: failed to find object %s\n", ldb_dn_get_linearized(dn)));
                return ret;