Privileges and usrmgr.exe

[simo]

On Mon, 2006-03-06 at 11:44 -0600, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> simo wrote:
> > I was testing usrmgr.exe (running it on an NT$ PDC against my test samba
> > server), and it seems it does not like when there is an unknown SID in
> > the privileges database. The traces shows that it ask for the lists of
> > privileges and then tries to resolve the SIDs. If we fail to resolve a
> > SID it just stamps me an Access Denied. We can probably cure this
> > problem by changing the error message (investigating this right now),
> > but I was thinking if we shouldn't be a bit more strict in what we let
> > admins put inside the db and by deleting corresponding entries when we
> > delete users or groups for our passdb.
> 
> Simo,
> 
> I think somewhere something has changed then.  I remember seeing
> usrmgr.exe showing SIDs that wouldn't resolve in the user rights
> dialog.  Can you verify what a Windows NT 4.0 DC does when you
> assign a privilege to a user/group and then delete that account?
> Thanks.

Actually, looking at the traces more closely seem we are failing to
properly answer to an LsarEnumeratePrivilegesAccount request about the
unknown SID.
Ethereal shows me we return error 0x00001002 which is not an NT_STATUS
error code, and just after that we return access denied to an
LsarGetSystemAccessAccount.

I think these 2 answers are the problem, we should probably issue the
proper error on the first and a different one on the second.
Btw, I'm not sure yet how it happens that we return a non-NT_STATUS
error, perhaps it is that we pass invalid data to the marshalling
routines, still looking into it.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org