s4:dsdb/acl: calculate the correct access_mask when modifying nTSecurityDescriptor

The access_mask depends on the SD Flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 26e9303233a834973deb6592a07b224e97bd28c8..c7a40778b452e6043744be4f9ab4e1c48b7c239c 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -1024,8 +1024,21 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
                                                         req->op.mod.message->elements[i].name);
 
                if (ldb_attr_cmp("nTSecurityDescriptor", req->op.mod.message->elements[i].name) == 0) {
+                       uint32_t sd_flags = dsdb_request_sd_flags(req, NULL);
+                       uint32_t access_mask = 0;
+
+                       if (sd_flags & (SECINFO_OWNER|SECINFO_GROUP)) {
+                               access_mask |= SEC_STD_WRITE_OWNER;
+                       }
+                       if (sd_flags & SECINFO_DACL) {
+                               access_mask |= SEC_STD_WRITE_DAC;
+                       }
+                       if (sd_flags & SECINFO_SACL) {
+                               access_mask |= SEC_FLAG_SYSTEM_SECURITY;
+                       }
+
                        status = sec_access_check_ds(sd, acl_user_token(module),
-                                            SEC_STD_WRITE_DAC,
+                                            access_mask,
                                             &access_granted,
                                             NULL,
                                             sid);