s4:policy: Fix ACE type comparison

SEC_ACE_TYPE_ values are not flags, so this comparison does not behave
as intended. Modify the check to more closely match the comment.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/lib/policy/gp_manage.c b/source4/lib/policy/gp_manage.c
index 80336edf7008d20815993d8ea203548033c2e20e..769e6c02d2f9807884ca9941bfb7537cf1d4b20b 100644 (file)
--- a/source4/lib/policy/gp_manage.c
+++ b/source4/lib/policy/gp_manage.c
@@ -100,7 +100,8 @@ NTSTATUS gp_create_gpt_security_descriptor (TALLOC_CTX *mem_ctx, struct security
                struct security_ace *ace;
 
                /* Don't add the allow for SID_BUILTIN_PREW2K */
-               if (!(ds_sd->dacl->aces[i].type & SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) &&
+               if ((ds_sd->dacl->aces[i].type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
+                    ds_sd->dacl->aces[i].type == SEC_ACE_TYPE_ACCESS_ALLOWED) &&
                                strcmp(trustee, SID_BUILTIN_PREW2K) == 0) {
                        talloc_free(trustee);
                        continue;