s4:ldif_handlers Allow a binary nTsecurityDescriptor when parsing LDIF

Also allow a SDDL security descriptor, using the domain SID attached
to the session (it will search for it during the LDIF parse if need
be).

Andrew Bartlett

diff --git a/source4/lib/ldb-samba/ldif_handlers.c b/source4/lib/ldb-samba/ldif_handlers.c
index d2f26e7510587bd716330b006d0cabaafd9aabe3..606d4df76114bea0606da3c4aecd3081c39ee5f5 100644 (file)
--- a/source4/lib/ldb-samba/ldif_handlers.c
+++ b/source4/lib/ldb-samba/ldif_handlers.c
@@ -314,18 +314,34 @@ static int ldif_read_ntSecurityDescriptor(struct ldb_context *ldb, void *mem_ctx
                                          const struct ldb_val *in, struct ldb_val *out)
 {
        struct security_descriptor *sd;
+
        enum ndr_err_code ndr_err;
 
-       sd = sddl_decode(mem_ctx, (const char *)in->data, NULL);
+       sd = talloc(mem_ctx, struct security_descriptor);
        if (sd == NULL) {
                return -1;
        }
+
+       ndr_err = ndr_pull_struct_blob(in, sd, NULL, sd,
+                                      (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
+       if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+               /* If this does not parse, then it is probably SDDL, and we should try it that way */
+               
+               struct dom_sid *sid = samdb_domain_sid(ldb);
+               talloc_free(sd);
+               sd = sddl_decode(mem_ctx, (const char *)in->data, sid);
+               if (sd == NULL) {
+                       return -1;
+               }
+       }
+
        ndr_err = ndr_push_struct_blob(out, mem_ctx, NULL, sd,
                                       (ndr_push_flags_fn_t)ndr_push_security_descriptor);
        talloc_free(sd);
        if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
                return -1;
        }
+
        return 0;
 }