s4:ldif_handlers Allow a binary nTsecurityDescriptor when parsing LDIF

Also allow a SDDL security descriptor, using the domain SID attached
to the session (it will search for it during the LDIF parse if need
be).

Andrew Bartlett

1 files changed, 17 insertions, 1 deletions

diff --git a/source4/lib/ldb-samba/ldif_handlers.c b/source4/lib/ldb-samba/ldif_handlers.c
index d2f26e7510..606d4df761 100644
--- a/source4/lib/ldb-samba/ldif_handlers.c
+++ b/source4/lib/ldb-samba/ldif_handlers.c
@@ -314,18 +314,34 @@ static int ldif_read_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx
 					  const struct ldb_val *in, struct ldb_val *out)
 {
 	struct security_descriptor *sd;
+
 	enum ndr_err_code ndr_err;
 
-	sd = sddl_decode(mem_ctx, (const char *)in->data, NULL);
+	sd = talloc(mem_ctx, struct security_descriptor);
 	if (sd == NULL) {
 		return -1;
 	}
+
+	ndr_err = ndr_pull_struct_blob(in, sd, NULL, sd,
+				       (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		/* If this does not parse, then it is probably SDDL, and we should try it that way */
+		
+		struct dom_sid *sid = samdb_domain_sid(ldb);
+		talloc_free(sd);
+		sd = sddl_decode(mem_ctx, (const char *)in->data, sid);
+		if (sd == NULL) {
+			return -1;
+		}
+	}
+
 	ndr_err = ndr_push_struct_blob(out, mem_ctx, NULL, sd,
 				       (ndr_push_flags_fn_t)ndr_push_security_descriptor);
 	talloc_free(sd);
 	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 		return -1;
 	}
+
 	return 0;
 }