s4:dsdb/descriptor: if the caller specifies no DACL/SACL the objects gets a default one

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

source4/dsdb/samdb/ldb_modules/descriptor.c

@@ -236,6 +236,11 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
 	char *sddl_sd;
 	struct dom_sid *default_owner;
 	struct dom_sid *default_group;
+	struct security_descriptor *default_descriptor = NULL;
+
+	if (objectclass != NULL) {
+		default_descriptor = get_sd_unpacked(module, mem_ctx, objectclass);
+	}
 
 	if (object) {
 		user_descriptor = talloc(mem_ctx, struct security_descriptor);
@@ -251,7 +256,7 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
 			return NULL;
 		}
 	} else {
-		user_descriptor = get_sd_unpacked(module, mem_ctx, objectclass);
+		user_descriptor = default_descriptor;
 	}
 
 	if (old_sd) {
@@ -284,6 +289,28 @@ static DATA_BLOB *get_new_descriptor(struct ldb_module *module,
 		}
 	}
 
+	if (user_descriptor && default_descriptor &&
+	    (user_descriptor->dacl == NULL))
+	{
+		user_descriptor->dacl = default_descriptor->dacl;
+		user_descriptor->type |= default_descriptor->type & (
+			SEC_DESC_DACL_PRESENT |
+			SEC_DESC_DACL_DEFAULTED|SEC_DESC_DACL_AUTO_INHERIT_REQ |
+			SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_PROTECTED |
+			SEC_DESC_DACL_TRUSTED);
+	}
+
+	if (user_descriptor && default_descriptor &&
+	    (user_descriptor->sacl == NULL))
+	{
+		user_descriptor->sacl = default_descriptor->sacl;
+		user_descriptor->type |= default_descriptor->type & (
+			SEC_DESC_SACL_PRESENT |
+			SEC_DESC_SACL_DEFAULTED|SEC_DESC_SACL_AUTO_INHERIT_REQ |
+			SEC_DESC_SACL_AUTO_INHERITED|SEC_DESC_SACL_PROTECTED |
+			SEC_DESC_SERVER_SECURITY);
+	}
+
 	default_owner = get_default_ag(mem_ctx, dn,
 				       session_info->security_token, ldb);
 	default_group = get_default_group(mem_ctx, ldb, default_owner);