Created attachment 8084 [details]
patch to allow SID as parameter to "net sam rights revoke"
"net sam rights" commands are used to manage the user rights. The backend as I understand is always a local tdb (var/locks/account_policy.tdb)
The actual data stored there is the SID of the users or groups that the rights refer to. In many cases (especially where the authentication backend is ldap), users or groups may be deleted that have associated rights. In that case, the rights entry remains there, and when the list of users is queried, the SID is returned, since a corresponding user/group can no longer be found.
The problem is that even though we can see the rights assignment to the SID, there is no way of deleting it, since the <name> parameter in "net sam rights revoke <name> <rights>" command does not accept that SID as a value.
It's perfectly ok not allowing an SID when using the "net sam rights grant" command, but there should be a way of deleting these orphan entries, by specifying the SID directly.
I have made a patch to propose as a solution, which I am attaching here.
This looks like a needed fix. I'll review and try and get into the next releases.
We'll need a documentation fix also.
workaround to delete unresolved SIDs:
# tdbdump account_policy.tdb
... look up the key like 'PRIV_S-1-5-21-2634556170-624626-6265426-513\00' in my case, then:
# tdbtool account_policy.tdb delete 'PRIV_S-1-5-21-2634556170-624626-6265426-513\00'