1 files changed, 13 insertions, 9 deletions

diff --git a/source3/lib/secdesc.c b/source3/lib/secdesc.c
index 1da2b3ec93..df85336603 100644
--- a/source3/lib/secdesc.c
+++ b/source3/lib/secdesc.c
@@ -529,7 +529,7 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
 
 			/* First add the regular ACE entry. */
 			init_sec_ace(new_ace, ptrustee, ace->type,
-			     	ace->access_mask, SEC_ACE_FLAG_INHERITED_ACE);
+			     	ace->access_mask, 0);
 
 			DEBUG(5,("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x"
 				" inherited as %s:%d/0x%02x/0x%08x\n",
@@ -546,10 +546,13 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
 
 			ptrustee = creator;
 			new_flags |= SEC_ACE_FLAG_INHERIT_ONLY;
+		} else if (container &&
+				!(ace->flags & SEC_ACE_FLAG_NO_PROPAGATE_INHERIT)) {
+			ptrustee = &ace->trustee;
 		}
 
 		init_sec_ace(new_ace, ptrustee, ace->type,
-			     ace->access_mask, new_flags | SEC_ACE_FLAG_INHERITED_ACE);
+			     ace->access_mask, new_flags);
 
 		DEBUG(5, ("se_create_child_secdesc(): %s:%d/0x%02x/0x%08x "
 			  " inherited as %s:%d/0x%02x/0x%08x\n",
@@ -563,19 +566,20 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
 	}
 
 	/* Create child security descriptor to return */
-
-	new_dacl = make_sec_acl(ctx,
-				ACL_REVISION,
+	if (new_ace_list_ndx) {
+		new_dacl = make_sec_acl(ctx,
+				NT4_ACL_REVISION,
 				new_ace_list_ndx,
 				new_ace_list);
 
-	if (!new_dacl) {
-		return NT_STATUS_NO_MEMORY;
+		if (!new_dacl) {
+			return NT_STATUS_NO_MEMORY;
+		}
 	}
+
 	*ppsd = make_sec_desc(ctx,
 			SECURITY_DESCRIPTOR_REVISION_1,
-			SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT|
-				SEC_DESC_DACL_DEFAULTED,
+			SEC_DESC_SELF_RELATIVE|SEC_DESC_DACL_PRESENT,
 			owner_sid,
 			group_sid,
 			NULL,