From 22bb2fd868b8df2244b801aeaa515a8a4036bce8 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 6 Dec 2012 12:36:09 +0100
Subject: [PATCH] s4:dsdb/acl_read: return the nTSecurityDescriptor attr if the
 sd_flags control is given (bug #9470)

Not returning the nTSecurityDescriptor causes a lot of problems.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
---
 source4/dsdb/samdb/ldb_modules/acl_read.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index 787e3ef5b95..9955451e778 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -296,6 +296,7 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
 	struct ldb_result *res;
 	struct aclread_private *p;
 	bool need_sd = false;
+	bool explicit_sd_flags = false;
 	bool is_untrusted = ldb_req_is_untrusted(req);
 	static const char * const _all_attrs[] = { "*", NULL };
 	bool all_attrs = false;
@@ -383,9 +384,15 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
 	 * expensive so we'd better had the ntsecuritydescriptor to the list of
 	 * searched attribute and then remove it !
 	 */
-	ac->sd_flags = dsdb_request_sd_flags(ac->req, NULL);
+	ac->sd_flags = dsdb_request_sd_flags(ac->req, &explicit_sd_flags);
 
-	need_sd = !(ldb_attr_in_list(attrs, "nTSecurityDescriptor"));
+	if (ldb_attr_in_list(attrs, "nTSecurityDescriptor")) {
+		need_sd = false;
+	} else if (explicit_sd_flags && all_attrs) {
+		need_sd = false;
+	} else {
+		need_sd = true;
+	}
 
 	if (!all_attrs) {
 		if (!ldb_attr_in_list(attrs, "instanceType")) {
-- 
2.11.4.GIT