Windows only requires SEC_ADS_CONTROL_ACCESS for the check to pass.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jun 14 15:38:23 UTC 2022 on sn-devel-184
owner_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
ace = security.ace()
- ace.access_mask = security.SEC_ADS_GENERIC_ALL
+ ace.access_mask = security.SEC_ADS_CONTROL_ACCESS
ace.trustee = security.dom_sid(sid)
struct auth_user_info_dc *user_info_dc = NULL;
struct auth_session_info *session_info = NULL;
uint32_t session_info_flags = AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
- uint32_t access_desired = SEC_ADS_GENERIC_ALL; /* => 0x000f01ff */
+ /*
+ * Testing shows that although Windows grants SEC_ADS_GENERIC_ALL access
+ * in security descriptors it creates for RBCD, its KDC only requires
+ * SEC_ADS_CONTROL_ACCESS for the access check to succeed.
+ */
+ uint32_t access_desired = SEC_ADS_CONTROL_ACCESS;
uint32_t access_granted = 0;
NTSTATUS nt_status;
TALLOC_CTX *mem_ctx = NULL;