s4:dsdb/descriptor: inherit nTSecurityDescriptor changes to children (bug #8621)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
index 36a64d06e6f58cce4de4296aba4b21d84a1e1fc5..18caa381038b475f6444b6046f910b5976a826c8 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -644,13 +644,13 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
                                                      "instanceType",
                                                      "objectClass", NULL };
        struct ldb_control *sd_propagation_control;
+       int cmp_ret = -1;
 
        /* do not manipulate our control entries */
        if (ldb_dn_is_special(dn)) {
                return ldb_next_request(module, req);
        }
 
-
        sd_propagation_control = ldb_request_get_control(req,
                                        DSDB_CONTROL_SEC_DESC_PROPAGATION_OID);
        if (sd_propagation_control != NULL) {
@@ -774,9 +774,9 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
        if (msg == NULL) {
                return ldb_oom(ldb);
        }
+       cmp_ret = data_blob_cmp(old_sd, sd);
        if (sd_propagation_control != NULL) {
-               ret = data_blob_cmp(old_sd, sd);
-               if (ret == 0) {
+               if (cmp_ret == 0) {
                        /*
                         * The nTSecurityDescriptor is unchanged,
                         * which means we can stop the processing.
@@ -800,6 +800,20 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
                if (ret != LDB_SUCCESS) {
                        return ldb_oom(ldb);
                }
+       } else if (cmp_ret != 0) {
+               struct ldb_dn *nc_root;
+
+               ret = dsdb_find_nc_root(ldb, msg, dn, &nc_root);
+               if (ret != LDB_SUCCESS) {
+                       return ldb_oom(ldb);
+               }
+
+               ret = dsdb_module_schedule_sd_propagation(module, nc_root,
+                                                         dn, false);
+               if (ret != LDB_SUCCESS) {
+                       return ldb_operr(ldb);
+               }
+               sd_element->values[0] = *sd;
        } else {
                sd_element->values[0] = *sd;
        }