From a09f9cfd2f95667dae96f34b81023360d40a1783 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 26 Mar 2015 21:52:27 +0100
Subject: [PATCH] s4:rpc_server/lsa: normalize the access_mask for lsa account
 objects

We still grant all access in the access_mask, but we don't check the
mask at all yet...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
---
 source4/rpc_server/lsa/dcesrv_lsa.c | 39 +++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 98b0def2c85..2a465d4d812 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -639,6 +639,13 @@ static NTSTATUS dcesrv_lsa_ClearAuditLog(struct dcesrv_call_state *dce_call, TAL
 }
 
 
+static const struct generic_mapping dcesrv_lsa_account_mapping = {
+	LSA_ACCOUNT_READ,
+	LSA_ACCOUNT_WRITE,
+	LSA_ACCOUNT_EXECUTE,
+	LSA_ACCOUNT_ALL_ACCESS
+};
+
 /*
   lsa_CreateAccount
 
@@ -679,6 +686,22 @@ static NTSTATUS dcesrv_lsa_CreateAccount(struct dcesrv_call_state *dce_call, TAL
 	astate->policy = talloc_reference(astate, state);
 	astate->access_mask = r->in.access_mask;
 
+	/*
+	 * For now we grant all requested access.
+	 *
+	 * We will fail at the ldb layer later.
+	 */
+	if (astate->access_mask & SEC_FLAG_MAXIMUM_ALLOWED) {
+		astate->access_mask &= ~SEC_FLAG_MAXIMUM_ALLOWED;
+		astate->access_mask |= LSA_ACCOUNT_ALL_ACCESS;
+	}
+	se_map_generic(&astate->access_mask, &dcesrv_lsa_account_mapping);
+
+	DEBUG(10,("%s: %s access desired[0x%08X] granted[0x%08X].\n",
+		  __func__, dom_sid_string(mem_ctx, astate->account_sid),
+		 (unsigned)r->in.access_mask,
+		 (unsigned)astate->access_mask));
+
 	ah = dcesrv_handle_new(dce_call->context, LSA_HANDLE_ACCOUNT);
 	if (!ah) {
 		talloc_free(astate);
@@ -2504,6 +2527,22 @@ static NTSTATUS dcesrv_lsa_OpenAccount(struct dcesrv_call_state *dce_call, TALLO
 	astate->policy = talloc_reference(astate, state);
 	astate->access_mask = r->in.access_mask;
 
+	/*
+	 * For now we grant all requested access.
+	 *
+	 * We will fail at the ldb layer later.
+	 */
+	if (astate->access_mask & SEC_FLAG_MAXIMUM_ALLOWED) {
+		astate->access_mask &= ~SEC_FLAG_MAXIMUM_ALLOWED;
+		astate->access_mask |= LSA_ACCOUNT_ALL_ACCESS;
+	}
+	se_map_generic(&astate->access_mask, &dcesrv_lsa_account_mapping);
+
+	DEBUG(10,("%s: %s access desired[0x%08X] granted[0x%08X] - success.\n",
+		  __func__, dom_sid_string(mem_ctx, astate->account_sid),
+		 (unsigned)r->in.access_mask,
+		 (unsigned)astate->access_mask));
+
 	ah = dcesrv_handle_new(dce_call->context, LSA_HANDLE_ACCOUNT);
 	if (!ah) {
 		talloc_free(astate);
-- 
2.11.4.GIT