TODO: SEC_DEFAULT_DESCRIPTOR...

diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
index 0a262885d8c4030ef2eba8a0286eceded8f10444..ed33aa1c94b1f87290d597ff855d7a49958b37fc 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -229,6 +229,7 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
        char *sddl_sd;
        struct dom_sid *default_owner;
        struct dom_sid *default_group;
+       uint32_t inherit_flags = SEC_DACL_AUTO_INHERIT|SEC_SACL_AUTO_INHERIT;
 
        if (object) {
                user_descriptor = talloc(mem_ctx, struct security_descriptor);
@@ -244,6 +245,8 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
                        return NULL;
                }
        } else {
+               inherit_flags |= SEC_DEFAULT_DESCRIPTOR;
+
                user_descriptor = get_sd_unpacked(module, mem_ctx, objectclass);
        }
 
@@ -281,7 +284,7 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
                                       session_info->security_token, ldb);
        default_group = get_default_group(mem_ctx, ldb, default_owner);
        new_sd = create_security_descriptor(mem_ctx, parent_descriptor, user_descriptor, true,
-                                           NULL, SEC_DACL_AUTO_INHERIT|SEC_SACL_AUTO_INHERIT,
+                                           NULL, inherit_flags,
                                            session_info->security_token,
                                            default_owner, default_group,
                                            map_generic_rights_ds);