summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2013-01-24 22:59:26 +0100
committerAndrew Bartlett <abartlet@samba.org>2013-01-27 20:14:20 +1100
commit38655a89cf902d0ea6657415e2f546c7622e279d (patch)
tree4fce167e587b8ccce9427d2cb9386012533960ba
parentcd5cb843b4d698ed2fedf635a020ff978ae40558 (diff)
downloadsamba-38655a89cf902d0ea6657415e2f546c7622e279d.tar.gz
samba-38655a89cf902d0ea6657415e2f546c7622e279d.tar.bz2
samba-38655a89cf902d0ea6657415e2f546c7622e279d.zip
dsdb-descriptor: get_default_group() should always return the DAG sid (bug #9481)
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r--source4/dsdb/samdb/ldb_modules/descriptor.c15
1 files changed, 10 insertions, 5 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
index fb100f7628..d9bc89fe62 100644
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -153,11 +153,16 @@ static struct dom_sid *get_default_group(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb,
struct dom_sid *dag)
{
- if (dsdb_functional_level(ldb) >= DS_DOMAIN_FUNCTION_2008) {
- return dag;
- }
-
- return NULL;
+ /*
+ * This depends on the function level of the DC
+ * which is 2008R2 in our case. Which means it is
+ * higher than 2003 and we should use the
+ * "default administrator group" also as owning group.
+ *
+ * This matches dcpromo for a 2003 domain
+ * on a Windows 2008R2 DC.
+ */
+ return dag;
}
static struct security_descriptor *descr_handle_sd_flags(TALLOC_CTX *mem_ctx,