dsdb: don't allow a missing nTSecurityDescriptor in dsdb_get_sd_from_ldb_message()

Every object has a nTSecurityDescriptor attribute.

This also avoids potential segfaults in the callers.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/dsdb/common/dsdb_access.c b/source4/dsdb/common/dsdb_access.c
index 84005b3e5ef355b2f63bfeb0248f5b67c9e179f9..b918220a06344f9f185a704c4288c98f80df9846 100644 (file)
--- a/source4/dsdb/common/dsdb_access.c
+++ b/source4/dsdb/common/dsdb_access.c
@@ -64,9 +64,9 @@ int dsdb_get_sd_from_ldb_message(struct ldb_context *ldb,
        enum ndr_err_code ndr_err;
 
        sd_element = ldb_msg_find_element(acl_res, "nTSecurityDescriptor");
-       if (!sd_element) {
-               *sd = NULL;
-               return LDB_SUCCESS;
+       if (sd_element == NULL) {
+               return ldb_error(ldb, LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS,
+                                "nTSecurityDescriptor is missing");
        }
        *sd = talloc(mem_ctx, struct security_descriptor);
        if(!*sd) {