rpcclient: Ask for minimal permissions for SID and name lookups

The RPC calls to lookup SIDS and names only require the
POLICY_LOOKUP_NAMES permission. Only ask for that instead of the
MAXIMUM_ALLOWED flag. This allows these calls to work against a NetApp
that does not accept MAXIMUM_ALLOWED (see bugzilla 11105).

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

source3/rpcclient/cmd_lsarpc.c

@@ -237,7 +237,7 @@ static NTSTATUS cmd_lsa_lookup_names(struct rpc_pipe_client *cli,
 	}
 
 	status = rpccli_lsa_open_policy(cli, mem_ctx, True,
-				     SEC_FLAG_MAXIMUM_ALLOWED,
+					LSA_POLICY_LOOKUP_NAMES,
 					&pol);
 
 	if (!NT_STATUS_IS_OK(status))
@@ -288,7 +288,7 @@ static NTSTATUS cmd_lsa_lookup_names_level(struct rpc_pipe_client *cli,
 	}
 
 	status = rpccli_lsa_open_policy(cli, mem_ctx, True,
-				     SEC_FLAG_MAXIMUM_ALLOWED,
+					LSA_POLICY_LOOKUP_NAMES,
 					&pol);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto done;
@@ -406,7 +406,7 @@ static NTSTATUS cmd_lsa_lookup_sids(struct rpc_pipe_client *cli, TALLOC_CTX *mem
 	}
 
 	status = rpccli_lsa_open_policy(cli, mem_ctx, True,
-				     SEC_FLAG_MAXIMUM_ALLOWED,
+					LSA_POLICY_LOOKUP_NAMES,
 					&pol);
 
 	if (!NT_STATUS_IS_OK(status))
@@ -481,7 +481,7 @@ static NTSTATUS cmd_lsa_lookup_sids_level(struct rpc_pipe_client *cli,
 	}
 
 	status = rpccli_lsa_open_policy(cli, mem_ctx, True,
-				     SEC_FLAG_MAXIMUM_ALLOWED,
+					LSA_POLICY_LOOKUP_NAMES,
 					&pol);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto done;