s4:dsdb/descriptor: always use descriptor_search_callback if we return nTSecurityDesc...

If the nTSecurityDescriptor is explicitly specified
without the SD Flags control we should go through descriptor_search_callback().

This is not strictly needed at the moment, but makes the code clearer
and might avoid surprises in the future.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
index db8bba739528b1ce0c57c74bd9b1a75c57713f44..a876346b6024c83aa6818de3a7a0759530388e51 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -739,9 +739,20 @@ static int descriptor_search(struct ldb_module *module, struct ldb_request *req)
        struct ldb_control *sd_control;
        struct ldb_request *down_req;
        struct descriptor_context *ac;
+       bool show_sd = false;
 
        sd_control = ldb_request_get_control(req, LDB_CONTROL_SD_FLAGS_OID);
-       if (!sd_control) {
+       if (sd_control != NULL) {
+               show_sd = true;
+       }
+
+       if (!show_sd &&
+           ldb_attr_in_list(req->op.search.attrs, "nTSecurityDescriptor"))
+       {
+               show_sd = true;
+       }
+
+       if (!show_sd) {
                return ldb_next_request(module, req);
        }