From 6e9072b2ffc84195e7349640357ddecac6762ed5 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 26 Apr 2019 17:07:20 +0200
Subject: [PATCH] python/ntacls: we only need security.SEC_STD_READ_CONTROL in
 order to get the ACL

We should avoid security.SEC_FLAG_MAXIMUM_ALLOWED otherwise
we may get NT_STATUS_SHARING_VIOLATION when we run
'samba-tool domain backup online' against a Windows DC.
Windows DCs have hidden folders for the NtFrs or Dfsr services,
which are locked by the running service.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13917

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 15032ec6df1abbb53f1b1d5377aab369f83ae707)
---
 python/samba/ntacls.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/python/samba/ntacls.py b/python/samba/ntacls.py
index 5bf646caf9f..82d950fbbc9 100644
--- a/python/samba/ntacls.py
+++ b/python/samba/ntacls.py
@@ -49,7 +49,7 @@ SECURITY_SECINFO_FLAGS = security.SECINFO_OWNER | \
 
 # SEC_FLAG_SYSTEM_SECURITY is required otherwise get Access Denied
 SECURITY_SEC_FLAGS = security.SEC_FLAG_SYSTEM_SECURITY | \
-                     security.SEC_FLAG_MAXIMUM_ALLOWED
+                     security.SEC_STD_READ_CONTROL
 
 
 class XattrBackendError(Exception):
-- 
2.20.1