Bug 9298 - "net sam rights revoke" doesn't accept SID as parameter
Summary: "net sam rights revoke" doesn't accept SID as parameter
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.11.6
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2012-10-18 08:04 UTC by Savvas Karagiannidis
Modified: 2020-02-11 21:40 UTC (History)
0 users

See Also:

patch to allow SID as parameter to "net sam rights revoke" (912 bytes, patch)
2012-10-18 08:04 UTC, Savvas Karagiannidis
jra: review? (jra)

Note You need to log in before you can comment on or make changes to this bug.
Description Savvas Karagiannidis 2012-10-18 08:04:21 UTC
Created attachment 8084 [details]
patch to allow SID as parameter to "net sam rights revoke"

"net sam rights" commands are used to manage the user rights. The backend as I understand is always a local tdb (var/locks/account_policy.tdb)
The actual data stored there is the SID of the users or groups that the rights refer to. In many cases (especially where the authentication backend is ldap), users or groups may be deleted that have associated rights. In that case, the rights entry remains there, and when the list of users is queried, the SID is returned, since a corresponding user/group can no longer be found.

The problem is that even though we can see the rights assignment to the SID, there is no way of deleting it, since the <name> parameter in "net sam rights revoke <name> <rights>" command does not accept that SID as a value.

It's perfectly ok not allowing an SID when using the "net sam rights grant" command, but there should be a way of deleting these orphan entries, by specifying the SID directly.

I have made a patch to propose as a solution, which I am attaching here.
Comment 1 Jeremy Allison 2012-11-02 23:54:18 UTC
This looks like a needed fix. I'll review and try and get into the next releases.

We'll need a documentation fix also.

Thanks !

Comment 2 Björn Jacke 2020-02-11 21:40:07 UTC
workaround to delete unresolved SIDs:

# tdbdump account_policy.tdb
... look up the key like 'PRIV_S-1-5-21-2634556170-624626-6265426-513\00' in my case, then:

# tdbtool account_policy.tdb delete 'PRIV_S-1-5-21-2634556170-624626-6265426-513\00'