dsdb-acl: calculate sDRightsEffective based on "nTSecurityDescriptor"

acl_check_access_on_attribute should never be called with attr=NULL
because we don't check access on an attribute in that case

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Matthieu Patou <mat@matws.net>

Autobuild-User(master): Matthieu Patou <mat@samba.org>
Autobuild-Date(master): Thu Jan 17 11:21:10 CET 2013 on sn-devel-104

1 files changed, 11 insertions, 3 deletions

diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 24b6507803..539363cb10 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -481,6 +481,14 @@ static int acl_sDRightsEffective(struct ldb_module *module,
 		flags = SECINFO_OWNER | SECINFO_GROUP |  SECINFO_SACL |  SECINFO_DACL;
 	}
 	else {
+		const struct dsdb_attribute *attr;
+
+		attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
+							 "nTSecurityDescriptor");
+		if (attr == NULL) {
+			return ldb_operr(ldb);
+		}
+
 		/* Get the security descriptor from the message */
 		ret = dsdb_get_sd_from_ldb_message(ldb, msg, sd_msg, &sd);
 		if (ret != LDB_SUCCESS) {
@@ -492,7 +500,7 @@ static int acl_sDRightsEffective(struct ldb_module *module,
 						    sd,
 						    sid,
 						    SEC_STD_WRITE_OWNER,
-						    NULL);
+						    attr);
 		if (ret == LDB_SUCCESS) {
 			flags |= SECINFO_OWNER | SECINFO_GROUP;
 		}
@@ -501,7 +509,7 @@ static int acl_sDRightsEffective(struct ldb_module *module,
 						    sd,
 						    sid,
 						    SEC_STD_WRITE_DAC,
-						    NULL);
+						    attr);
 		if (ret == LDB_SUCCESS) {
 			flags |= SECINFO_DACL;
 		}
@@ -510,7 +518,7 @@ static int acl_sDRightsEffective(struct ldb_module *module,
 						    sd,
 						    sid,
 						    SEC_FLAG_SYSTEM_SECURITY,
-						    NULL);
+						    attr);
 		if (ret == LDB_SUCCESS) {
 			flags |= SECINFO_SACL;
 		}