s3: smbd: Subtle change to semantics needed for smbd_check_access_rights_fsp().

smbd_check_access_rights() is checking permissions on a file *before*
open, so getting ACCESS_DENIED and mapping to NT_STATUS_OK when
reading the security descriptor is fine, as if we really don't have
access the open will fail.

smbd_check_access_rights_fsp() takes place *after* the open (pathref
or otherwise), so being unable to get the security decriptor should
be reported back to the caller and not mapped to NT_STATUS_OK.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 5094f41c690fda2e33aeca6b4a5b5efac0778551..b1d90412bf1c1814fd423d3d517b9643022e6d64 100644 (file)
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -293,9 +293,6 @@ NTSTATUS smbd_check_access_rights_fsp(struct files_struct *fsp,
                                      SECINFO_DACL),
                                     talloc_tos(),
                                     &sd);
-       if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
-               status = NT_STATUS_OK;
-       }
        if (!NT_STATUS_IS_OK(status)) {
                DBG_DEBUG("Could not get acl on %s: %s\n",
                          fsp_str_dbg(fsp),