3 files changed, 57 insertions, 20 deletions

diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 0a244f9bef..638955de97 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -191,6 +191,7 @@ static int acl_allowedAttributes(struct ldb_module *module,
 	TALLOC_CTX *mem_ctx;
 	const char **attr_list;
 	int i, ret;
+	const struct dsdb_class *objectclass;
 
 	/* If we don't have a schema yet, we can't do anything... */
 	if (schema == NULL) {
@@ -215,6 +216,19 @@ static int acl_allowedAttributes(struct ldb_module *module,
 		talloc_free(mem_ctx);
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
+
+	/*
+	 * Get the top-most structural object class for the ACL check
+	 */
+	objectclass = dsdb_get_last_structural_class(ac->schema,
+						     oc_el);
+	if (objectclass == NULL) {
+		ldb_asprintf_errstring(ldb, "acl_read: Failed to find a structural class for %s",
+				       ldb_dn_get_linearized(sd_msg->dn));
+		talloc_free(mem_ctx);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
 	if (ac->allowedAttributes) {
 		for (i=0; attr_list && attr_list[i]; i++) {
 			ldb_msg_add_string(msg, "allowedAttributes", attr_list[i]);
@@ -262,7 +276,8 @@ static int acl_allowedAttributes(struct ldb_module *module,
 							    sd,
 							    sid,
 							    SEC_ADS_WRITE_PROP,
-							    attr);
+							    attr,
+							    objectclass);
 			if (ret == LDB_SUCCESS) {
 				ldb_msg_add_string(msg, "allowedAttributesEffective", attr_list[i]);
 			}
@@ -479,10 +494,15 @@ static int acl_sDRightsEffective(struct ldb_module *module,
 	}
 	if (ac->am_system || as_system) {
 		flags = SECINFO_OWNER | SECINFO_GROUP |  SECINFO_SACL |  SECINFO_DACL;
-	}
-	else {
+	} else {
+		const struct dsdb_class *objectclass;
 		const struct dsdb_attribute *attr;
 
+		objectclass = dsdb_get_structural_oc_from_msg(ac->schema, sd_msg);
+		if (objectclass == NULL) {
+			return ldb_operr(ldb);
+		}
+
 		attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
 							 "nTSecurityDescriptor");
 		if (attr == NULL) {
@@ -500,7 +520,8 @@ static int acl_sDRightsEffective(struct ldb_module *module,
 						    sd,
 						    sid,
 						    SEC_STD_WRITE_OWNER,
-						    attr);
+						    attr,
+						    objectclass);
 		if (ret == LDB_SUCCESS) {
 			flags |= SECINFO_OWNER | SECINFO_GROUP;
 		}
@@ -509,7 +530,8 @@ static int acl_sDRightsEffective(struct ldb_module *module,
 						    sd,
 						    sid,
 						    SEC_STD_WRITE_DAC,
-						    attr);
+						    attr,
+						    objectclass);
 		if (ret == LDB_SUCCESS) {
 			flags |= SECINFO_DACL;
 		}
@@ -518,7 +540,8 @@ static int acl_sDRightsEffective(struct ldb_module *module,
 						    sd,
 						    sid,
 						    SEC_FLAG_SYSTEM_SECURITY,
-						    attr);
+						    attr,
+						    objectclass);
 		if (ret == LDB_SUCCESS) {
 			flags |= SECINFO_SACL;
 		}
@@ -636,8 +659,8 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx,
 			 struct ldb_request *req,
 			 struct security_descriptor *sd,
 			 struct dom_sid *sid,
-			 const struct GUID *oc_guid,
-			 const struct dsdb_attribute *attr)
+			 const struct dsdb_attribute *attr,
+			 const struct dsdb_class *objectclass)
 {
 	int ret;
 	unsigned int i;
@@ -671,7 +694,7 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx,
 					  sd,
 					  sid,
 					  SEC_ADS_WRITE_PROP,
-					  attr) == LDB_SUCCESS) {
+					  attr, objectclass) == LDB_SUCCESS) {
 		talloc_free(tmp_ctx);
 		return LDB_SUCCESS;
 	}
@@ -828,8 +851,8 @@ static int acl_check_self_membership(TALLOC_CTX *mem_ctx,
 				     struct ldb_request *req,
 				     struct security_descriptor *sd,
 				     struct dom_sid *sid,
-				     const struct GUID *oc_guid,
-				     const struct dsdb_attribute *attr)
+				     const struct dsdb_attribute *attr,
+				     const struct dsdb_class *objectclass)
 {
 	int ret;
 	unsigned int i;
@@ -842,7 +865,7 @@ static int acl_check_self_membership(TALLOC_CTX *mem_ctx,
 					  sd,
 					  sid,
 					  SEC_ADS_WRITE_PROP,
-					  attr) == LDB_SUCCESS) {
+					  attr, objectclass) == LDB_SUCCESS) {
 		return LDB_SUCCESS;
 	}
 	/* if we are adding/deleting ourselves, check for self membership */
@@ -884,7 +907,7 @@ static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
 				     struct ldb_request *req,
 				     struct security_descriptor *sd,
 				     struct dom_sid *sid,
-				     const struct GUID *oc_guid,
+				     const struct dsdb_class *objectclass,
 				     bool userPassword)
 {
 	int ret = LDB_SUCCESS;
@@ -1109,8 +1132,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
 							req,
 							sd,
 							sid,
-							&objectclass->schemaIDGUID,
-							attr);
+							attr,
+							objectclass);
 			if (ret != LDB_SUCCESS) {
 				goto fail;
 			}
@@ -1126,7 +1149,7 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
 							req,
 							sd,
 							sid,
-							&objectclass->schemaIDGUID,
+							objectclass,
 							userPassword);
 			if (ret != LDB_SUCCESS) {
 				goto fail;
@@ -1137,8 +1160,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
 					    req,
 					    sd,
 					    sid,
-					    &objectclass->schemaIDGUID,
-					    attr);
+					    attr,
+					    objectclass);
 			if (ret != LDB_SUCCESS) {
 				goto fail;
 			}
diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index dcabd56a78..07b1bc4e5e 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -76,6 +76,7 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
 	struct dom_sid *sid = NULL;
 	TALLOC_CTX *tmp_ctx;
 	uint32_t instanceType;
+	const struct dsdb_class *objectclass;
 
 	ac = talloc_get_type(req->context, struct aclread_context);
 	ldb = ldb_module_get_ctx(ac->module);
@@ -98,6 +99,17 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
 			ret = LDB_ERR_OPERATIONS_ERROR;
 			goto fail;
 		}
+		/*
+		 * Get the most specific structural object class for the ACL check
+		 */
+		objectclass = dsdb_get_structural_oc_from_msg(ac->schema, msg);
+		if (objectclass == NULL) {
+			ldb_asprintf_errstring(ldb, "acl_read: Failed to find a structural class for %s",
+					       ldb_dn_get_linearized(msg->dn));
+			ret = LDB_ERR_OPERATIONS_ERROR;
+			goto fail;
+		}
+
 		sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
 		/* get the object instance type */
 		instanceType = ldb_msg_find_attr_as_uint(msg,
@@ -196,7 +208,8 @@ static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
 							    sd,
 							    sid,
 							    access_mask,
-							    attr);
+							    attr,
+							    objectclass);
 
 			/*
 			 * Dirsync control needs the replpropertymetadata attribute
diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c
index bbf8e660a6..95ab2752c7 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_util.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_util.c
@@ -96,7 +96,8 @@ int acl_check_access_on_attribute(struct ldb_module *module,
 				  struct security_descriptor *sd,
 				  struct dom_sid *rp_sid,
 				  uint32_t access_mask,
-				  const struct dsdb_attribute *attr)
+				  const struct dsdb_attribute *attr,
+				  const struct dsdb_class *objectclass)
 {
 	int ret;
 	NTSTATUS status;