Revert the extra SAMR and LSA checks.

These were added between 3.2.4 and 3.2.5 that have caused users problems.
This fixes among others bug #6089 and #6112.
(cherry picked from commit f2a29585123e6072a75eb9abdd202f99f5a01e1e)

diff --git a/source/rpc_server/srv_lsa_nt.c b/source/rpc_server/srv_lsa_nt.c
index fd6cdfab0309fa38d0d2cd493d4678c4f97c20c3..697cc5208db9624f9fa0167355bc1f411d667c04 100644 (file)
--- a/source/rpc_server/srv_lsa_nt.c
+++ b/source/rpc_server/srv_lsa_nt.c
@@ -1629,9 +1629,6 @@ NTSTATUS _lsa_EnumPrivsAccount(pipes_struct *p,
        if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
                return NT_STATUS_INVALID_HANDLE;
 
-       if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
-               return NT_STATUS_ACCESS_DENIED;
-
        if ( !get_privileges_for_sids( &mask, &info->sid, 1 ) )
                return NT_STATUS_OBJECT_NAME_NOT_FOUND;
 
@@ -1692,9 +1689,6 @@ NTSTATUS _lsa_GetSystemAccessAccount(pipes_struct *p,
        if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
                return NT_STATUS_INVALID_HANDLE;
 
-       if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
-               return NT_STATUS_ACCESS_DENIED;
-
        if (!lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, NULL))
                return NT_STATUS_ACCESS_DENIED;
 
@@ -2097,9 +2091,6 @@ NTSTATUS _lsa_EnumAccountRights(pipes_struct *p,
        if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
                return NT_STATUS_INVALID_HANDLE;
 
-       if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
-               return NT_STATUS_ACCESS_DENIED;
-
        /* according to an NT4 PDC, you can add privileges to SIDs even without
           call_lsa_create_account() first.  And you can use any arbitrary SID. */
 
@@ -2142,9 +2133,6 @@ NTSTATUS _lsa_LookupPrivValue(pipes_struct *p,
        if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
                return NT_STATUS_INVALID_HANDLE;
 
-       if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
-               return NT_STATUS_ACCESS_DENIED;
-
        name = r->in.name->string;
 
        DEBUG(10,("_lsa_lookup_priv_value: name = %s\n", name));

diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c
index a394eb3b90c5869b1b3369cb3a0da1f56d635dca..47aa1e9a9b045db1b765f9b0b7746e73da3219d0 100644 (file)
--- a/source/rpc_server/srv_samr_nt.c
+++ b/source/rpc_server/srv_samr_nt.c
@@ -862,13 +862,6 @@ NTSTATUS _samr_QuerySecurity(pipes_struct *p,
        DEBUG(10,("_samr_QuerySecurity: querying security on SID: %s\n",
                  sid_string_dbg(&pol_sid)));
 
-       status = access_check_samr_function(acc_granted,
-                                           STD_RIGHT_READ_CONTROL_ACCESS,
-                                           "_samr_QuerySecurity");
-       if (!NT_STATUS_IS_OK(status)) {
-               return status;
-       }
-
        /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */
 
        /* To query the security of the SAM it self an invalid SID with S-0-0 is passed to this function */
@@ -1483,13 +1476,6 @@ NTSTATUS _samr_QueryDisplayInfo(pipes_struct *p,
        if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
                return NT_STATUS_INVALID_HANDLE;
 
-       status = access_check_samr_function(info->acc_granted,
-                                           SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
-                                           "_samr_QueryDisplayInfo");
-       if (!NT_STATUS_IS_OK(status)) {
-               return status;
-       }
-
        /*
         * calculate how many entries we will return.
         * based on
@@ -2132,13 +2118,6 @@ NTSTATUS _samr_LookupRids(pipes_struct *p,
        if (!get_lsa_policy_samr_sid(p, r->in.domain_handle, &pol_sid, &acc_granted, NULL))
                return NT_STATUS_INVALID_HANDLE;
 
-       status = access_check_samr_function(acc_granted,
-                                           0, /* Don't know the acc_bits yet */
-                                           "_samr__LookupRids");
-       if (!NT_STATUS_IS_OK(status)) {
-               return status;
-       }
-
        if (num_rids > 1000) {
                DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
                          "to samba4 idl this is not possible\n", num_rids));
@@ -2711,13 +2690,6 @@ NTSTATUS _samr_QueryUserInfo(pipes_struct *p,
        if (!find_policy_by_hnd(p, r->in.user_handle, (void **)(void *)&info))
                return NT_STATUS_INVALID_HANDLE;
 
-       status = access_check_samr_function(info->acc_granted,
-                                           SAMR_USER_ACCESS_GET_ATTRIBUTES,
-                                           "_samr_QueryUserInfo");
-       if (!NT_STATUS_IS_OK(status)) {
-               return status;
-       }
-
        domain_sid = info->sid;
 
        sid_split_rid(&domain_sid, &rid);
@@ -2961,13 +2933,6 @@ NTSTATUS _samr_QueryDomainInfo(pipes_struct *p,
                return NT_STATUS_INVALID_HANDLE;
        }
 
-       status = access_check_samr_function(info->acc_granted,
-                                           SA_RIGHT_SAM_LOOKUP_DOMAIN,
-                                           "_samr_QueryDomainInfo" );
-
-       if ( !NT_STATUS_IS_OK(status) )
-               return status;
-
        switch (r->in.level) {
                case 0x01:
 
@@ -5682,7 +5647,6 @@ NTSTATUS _samr_SetDomainInfo(pipes_struct *p,
        time_t u_expire, u_min_age;
        time_t u_logout;
        time_t u_lock_duration, u_reset_time;
-       NTSTATUS result;
 
        DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
 
@@ -5690,20 +5654,6 @@ NTSTATUS _samr_SetDomainInfo(pipes_struct *p,
        if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
                return NT_STATUS_INVALID_HANDLE;
 
-       /* We do have different access bits for info
-        * levels here, but we're really just looking for
-        * GENERIC_RIGHTS_DOMAIN_WRITE access. Unfortunately
-        * this maps to different specific bits. So
-        * assume if we have SA_RIGHT_DOMAIN_SET_INFO_1
-        * set we are ok. */
-
-       result = access_check_samr_function(info->acc_granted,
-                                           SA_RIGHT_DOMAIN_SET_INFO_1,
-                                           "_samr_SetDomainInfo");
-
-       if (!NT_STATUS_IS_OK(result))
-               return result;
-
        DEBUG(5,("_samr_SetDomainInfo: level: %d\n", r->in.level));
 
        switch (r->in.level) {
@@ -5761,7 +5711,6 @@ NTSTATUS _samr_GetDisplayEnumerationIndex(pipes_struct *p,
        int i;
        uint32_t num_account = 0;
        struct samr_displayentry *entries = NULL;
-       NTSTATUS status;
 
        DEBUG(5,("_samr_GetDisplayEnumerationIndex: %d\n", __LINE__));
 
@@ -5770,13 +5719,6 @@ NTSTATUS _samr_GetDisplayEnumerationIndex(pipes_struct *p,
                return NT_STATUS_INVALID_HANDLE;
        }
 
-       status = access_check_samr_function(info->acc_granted,
-                                           SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
-                                           "_samr_GetDisplayEnumerationIndex");
-       if (!NT_STATUS_IS_OK(status)) {
-               return status;
-       }
-
        if ((r->in.level < 1) || (r->in.level > 3)) {
                DEBUG(0,("_samr_GetDisplayEnumerationIndex: "
                        "Unknown info level (%u)\n",