From 7a3e4d04c7e06379eddacb4f025a3c48a0a754a4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 22 Nov 2012 15:53:14 +0100
Subject: [PATCH] s4:dsdb/descriptor: if the caller specifies no DACL/SACL the
 objects gets a default one

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
---
 source4/dsdb/samdb/ldb_modules/descriptor.c | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
index fd08d49cdf3..73acc2f7a74 100644
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -236,6 +236,11 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
 	char *sddl_sd;
 	struct dom_sid *default_owner;
 	struct dom_sid *default_group;
+	struct security_descriptor *default_descriptor = NULL;
+
+	if (objectclass != NULL) {
+		default_descriptor = get_sd_unpacked(module, mem_ctx, objectclass);
+	}
 
 	if (object) {
 		user_descriptor = talloc(mem_ctx, struct security_descriptor);
@@ -251,7 +256,7 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
 			return NULL;
 		}
 	} else {
-		user_descriptor = get_sd_unpacked(module, mem_ctx, objectclass);
+		user_descriptor = default_descriptor;
 	}
 
 	if (old_sd) {
@@ -284,6 +289,28 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
 		}
 	}
 
+	if (user_descriptor && default_descriptor &&
+	    (user_descriptor->dacl == NULL))
+	{
+		user_descriptor->dacl = default_descriptor->dacl;
+		user_descriptor->type |= default_descriptor->type & (
+			SEC_DESC_DACL_PRESENT |
+			SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
+			SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
+			SEC_DESC_DACL_TRUSTED);
+	}
+
+	if (user_descriptor && default_descriptor &&
+	    (user_descriptor->sacl == NULL))
+	{
+		user_descriptor->sacl = default_descriptor->sacl;
+		user_descriptor->type |= default_descriptor->type & (
+			SEC_DESC_SACL_PRESENT |
+			SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
+			SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
+			SEC_DESC_SERVER_SECURITY);
+	}
+
 	default_owner = get_default_ag(mem_ctx, dn,
 				       session_info->security_token, ldb);
 	default_group = get_default_group(mem_ctx, ldb, default_owner);
-- 
2.11.4.GIT