From 67045fafe8a826792a51a504aa85ee6d8e137059 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 21 Nov 2012 15:24:46 +0100
Subject: [PATCH] s4:dsdb/descriptor: always use descriptor_search_callback if
 we return nTSecurityDescriptor

If the nTSecurityDescriptor is explicitly specified
without the SD Flags control we should go through descriptor_search_callback().

This is not strictly needed at the moment, but makes the code clearer
and might avoid surprises in the future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
---
 source4/dsdb/samdb/ldb_modules/descriptor.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
index db8bba73952..a876346b602 100644
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -739,9 +739,20 @@ static int descriptor_search(struct ldb_module *module, struct ldb_request *req)
 	struct ldb_control *sd_control;
 	struct ldb_request *down_req;
 	struct descriptor_context *ac;
+	bool show_sd = false;
 
 	sd_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID);
-	if (!sd_control) {
+	if (sd_control != NULL) {
+		show_sd = true;
+	}
+
+	if (!show_sd &&
+	    ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor"))
+	{
+		show_sd = true;
+	}
+
+	if (!show_sd) {
 		return ldb_next_request(module, req);
 	}
 
-- 
2.11.4.GIT