From 5acd8bc01b23d6fc3d83eea9c3307feb7210879f Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 24 Sep 2009 16:53:06 -0700 Subject: s4-acl: fixed SD creation Thanks for Nadya and Metze for this. The SDs were being created with invalid fields (noticed by w2k8-r2 client when joining our domain) --- source4/libcli/security/create_descriptor.c | 34 +++++++++++++++++++---------- 1 file changed, 22 insertions(+), 12 deletions(-) (limited to 'source4') diff --git a/source4/libcli/security/create_descriptor.c b/source4/libcli/security/create_descriptor.c index ebf07ac0fd..a7f5f41966 100644 --- a/source4/libcli/security/create_descriptor.c +++ b/source4/libcli/security/create_descriptor.c @@ -265,6 +265,9 @@ static struct security_acl *calculate_inherited_from_creator(TALLOC_CTX *mem_ctx if (!tmp_acl) return NULL; + tmp_acl->revision = acl->revision; + DEBUG(6,(__location__ ": acl revision %u\n", acl->revision)); + co = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_OWNER); cg = dom_sid_parse_talloc(tmp_ctx, SID_CREATOR_GROUP); @@ -411,28 +414,35 @@ struct security_descriptor *create_security_descriptor(TALLOC_CTX *mem_ctx, struct dom_sid *new_group = NULL; new_sd = security_descriptor_initialise(mem_ctx); - if (!new_sd) + if (!new_sd) { return NULL; - if (!creator_sd || !creator_sd->owner_sid){ - if (inherit_flags & SEC_OWNER_FROM_PARENT) + } + + if (!creator_sd || !creator_sd->owner_sid) { + if ((inherit_flags & SEC_OWNER_FROM_PARENT) && parent_sd) { new_owner = parent_sd->owner_sid; - else if (!default_owner) + } else if (!default_owner) { new_owner = token->user_sid; - else + } else { new_owner = default_owner; - } - else + new_sd->type |= SEC_DESC_OWNER_DEFAULTED; + } + } else { new_owner = creator_sd->owner_sid; + } if (!creator_sd || !creator_sd->group_sid){ - if (inherit_flags & SEC_GROUP_FROM_PARENT && parent_sd) + if ((inherit_flags & SEC_GROUP_FROM_PARENT) && parent_sd) { new_group = parent_sd->group_sid; - else if (!default_group) + } else if (!default_group) { new_group = token->group_sid; - else new_group = default_group; - } - else + } else { + new_group = default_group; + new_sd->type |= SEC_DESC_GROUP_DEFAULTED; + } + } else { new_group = creator_sd->group_sid; + } new_sd->owner_sid = talloc_memdup(new_sd, new_owner, sizeof(struct dom_sid)); new_sd->group_sid = talloc_memdup(new_sd, new_group, sizeof(struct dom_sid)); -- cgit