dsdb-descriptor: get_default_group() should always return the DAG sid (bug #9481)

author Stefan Metzmacher <metze@samba.org>

Thu, 24 Jan 2013 21:59:26 +0000 (22:59 +0100)

committer Andrew Bartlett <abartlet@samba.org>

Sun, 27 Jan 2013 09:14:20 +0000 (20:14 +1100)
author Stefan Metzmacher <metze@samba.org>
Thu, 24 Jan 2013 21:59:26 +0000 (22:59 +0100)
committer Andrew Bartlett <abartlet@samba.org>
Sun, 27 Jan 2013 09:14:20 +0000 (20:14 +1100)
diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c

index fb100f76283d74f09b50fc07acf29082de06098c..d9bc89fe62eec83d7447d5320b05231cea80021f 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -153,11 +153,16 @@ static struct dom_sid *get_default_group(TALLOC_CTX *mem_ctx,
                                          struct ldb_context *ldb,
                                          struct dom_sid *dag)
  {
-       if (dsdb_functional_level(ldb) >= DS_DOMAIN_FUNCTION_2008) {
-               return dag;
-       }
-
-       return NULL;
+       /*
+        * This depends on the function level of the DC
+        * which is 2008R2 in our case. Which means it is
+        * higher than 2003 and we should use the
+        * "default administrator group" also as owning group.
+        *
+        * This matches dcpromo for a 2003 domain
+        * on a Windows 2008R2 DC.
+        */
+       return dag;
  }
  
  static struct security_descriptor *descr_handle_sd_flags(TALLOC_CTX *mem_ctx,
author	Stefan Metzmacher <metze@samba.org>
	Thu, 24 Jan 2013 21:59:26 +0000 (22:59 +0100)
committer	Andrew Bartlett <abartlet@samba.org>
	Sun, 27 Jan 2013 09:14:20 +0000 (20:14 +1100)