Bug 9298 - "net sam rights revoke" doesn't accept SID as parameter
"net sam rights revoke" doesn't accept SID as parameter
Status: NEW
Product: Samba 3.6
Classification: Unclassified
Component: Client Tools
All All
: P5 normal
: ---
Assigned To: Volker Lendecke
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2012-10-18 08:04 UTC by Savvas Karagiannidis
Modified: 2012-11-02 23:54 UTC (History)
0 users

See Also:

patch to allow SID as parameter to "net sam rights revoke" (912 bytes, patch)
2012-10-18 08:04 UTC, Savvas Karagiannidis
jra: review? (jra)

Note You need to log in before you can comment on or make changes to this bug.
Description Savvas Karagiannidis 2012-10-18 08:04:21 UTC
Created attachment 8084 [details]
patch to allow SID as parameter to "net sam rights revoke"

"net sam rights" commands are used to manage the user rights. The backend as I understand is always a local tdb (var/locks/account_policy.tdb)
The actual data stored there is the SID of the users or groups that the rights refer to. In many cases (especially where the authentication backend is ldap), users or groups may be deleted that have associated rights. In that case, the rights entry remains there, and when the list of users is queried, the SID is returned, since a corresponding user/group can no longer be found.

The problem is that even though we can see the rights assignment to the SID, there is no way of deleting it, since the <name> parameter in "net sam rights revoke <name> <rights>" command does not accept that SID as a value.

It's perfectly ok not allowing an SID when using the "net sam rights grant" command, but there should be a way of deleting these orphan entries, by specifying the SID directly.

I have made a patch to propose as a solution, which I am attaching here.
Comment 1 Jeremy Allison 2012-11-02 23:54:18 UTC
This looks like a needed fix. I'll review and try and get into the next releases.

We'll need a documentation fix also.

Thanks !