s4-dsdb: force REVISION_ADS for new and updated ACLs in dsdb

w2k8-r2 gives a "schema mismatch" error if the revision is not set to
REVISION_ADS and you replicate the ntsecuritydescriptor using DRS.

Nadya, please check this!

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
index d5a5e36e0ea80f357b553467e838f50e80671a1f..f07743c4a2bb163479c003b38f68d61cfafdc45f 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -285,6 +285,14 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
        if (!final_sd) {
                return NULL;
        }
+
+       if (final_sd->dacl) {
+               final_sd->dacl->revision = SECURITY_ACL_REVISION_ADS;
+       }
+       if (final_sd->sacl) {
+               final_sd->sacl->revision = SECURITY_ACL_REVISION_ADS;
+       }
+
        sddl_sd = sddl_encode(mem_ctx, final_sd, domain_sid);
        DEBUG(10, ("Object %s created with desriptor %s\n\n", ldb_dn_get_linearized(dn), sddl_sd));